also @ TechSpot: Building a Thin Mini-ITX PC: Small and Silent Performance

Trojan horse Crypt.AQLW, Internet pops up, computer crashing

Discussion in 'Virus and Malware Removal' started by Pr011, Feb 24, 2012.

Post New Reply
Page 3 of 5

  1. Pr011 Newcomer, in training Posts: 66

    Not quite sure which part of the website result to post...

    SHA256: 6aa67f34c7349b8b7efa6e6c143dda08f80d8d027e2e1ac41490e351c22bfa5b
    SHA1: b91e38016d093396e96c8def801662596b2ebfb2
    MD5: a7179de59ae269ab70345527894ccd7c
    File size: 73.0 KB ( 74752 bytes )
    File name: C:\Windows\System32\drivers\dfsc.sys
    File type: Win32 EXE
    Detection ratio: 0 / 43
    Analysis date: 2012-02-27 04:32:14 UTC ( 0 minutes ago )
    Pr011, Feb 26, 2012
    #41

  2. Broni Malware Annihilator Posts: 39,349   +175

    Looks good.

    How is redirection?
    Broni, Feb 27, 2012
    #42

  3. Pr011 Newcomer, in training Posts: 66

    Apologies for delay.

    I am still getting redirected. When I run TDSSKiller, it seems to neutralise the threats it detects, and then reboots the computer. Its as if on reboot the virus is re-establishing itself, in a kind of cycle.
    Pr011, Feb 28, 2012
    #43

  4. Broni Malware Annihilator Posts: 39,349   +175

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =================================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
    Broni, Feb 28, 2012
    #44

  5. Pr011 Newcomer, in training Posts: 66

    RogueKiller V7.2.0 [02/27/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
    Started in : Normal mode
    User: Mark [Admin rights]
    Mode: Scan -- Date: 02/29/2012 07:13:07

    ¤¤¤ Bad processes: 0 ¤¤¤

    ¤¤¤ Registry Entries: 3 ¤¤¤
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    127.0.0.1 localhost


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: WDC WD1600AAJB-00PVA0 ATA Device +++++
    --- User ---
    [MBR] 7be4d50977873353752aa4c68214641c
    [BSP] 40f40e7e33546ef3548f3ee71c27c7ca : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: WDC WD64 01AALS-00L3B SCSI Disk Device +++++
    --- User ---
    [MBR] 8a22d489db3b89375fd554178146aad4
    [BSP] bac0c001ecfd76fe391e8a7490c585ab : Windows Vista MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 610478 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
    Pr011, Feb 29, 2012
    #45

  6. Pr011 Newcomer, in training Posts: 66

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
    Pr011, Feb 29, 2012
    #46
     

  7. Broni Malware Annihilator Posts: 39,349   +175

    Download the FixTDSS.exe

    Save the file to your Windows desktop.
    Close all running programs.
    If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
    Double-click the FixTDSS.exe file to start the removal tool.
    Click Start to begin the process, and then allow the tool to run.
    OK any security prompts.
    Restart the computer when prompted by the tool.
    After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
    If you are running Windows XP, re-enable System Restore.
    Broni, Feb 29, 2012
    #47

  8. Pr011 Newcomer, in training Posts: 66

    Hello again. I think this virus must hate me!

    I downloaded and ran FixTDSS, it was very quick (instant, in fact, which I thought was odd because it said it would search for TDSS) and then rebooted the machine. On reboot I got a BSOD. The machine rebooted again and got into a cycle of BSODs and reboots. I tried to launch the machine in safe mode but again resulted in a BSOD.

    The machine would only boot when I selected "use last known good config", where FixTDSS displayed an error message stating that it could not run with "-postboot", and a few moments later got another BSOD, after this the machine booted normally.

    I then booted the machine into safe mode and tried to run FixTDSS again, but again it rebooted to a BSOD and I had to launch with last known config; where I got the same error message.
    Pr011, Mar 1, 2012
    #48

  9. Broni Malware Annihilator Posts: 39,349   +175

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      svchost.exe
      dfsc.sys
      /md5stop

    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
    Broni, Mar 1, 2012
    #49

  10. Pr011 Newcomer, in training Posts: 66

    I managed to boot the liveCD successfully. Log below:

    OTL logfile created on: 3/2/2012 7:47:29 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Windows Vista (TM) Home Premium Service Pack 2 (Version = 6.0.6002) - Type = System
    Internet Explorer (Version = 8.0.6001.19190)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 91.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 33.06 Gb Free Space | 22.18% Space Free | Partition Type: NTFS
    Drive D: | 596.17 Gb Total Space | 323.89 Gb Free Space | 54.33% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet003

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto] -- -- (WUSB54GSv2SVC)
    SRV - File not found [Auto] -- -- (vmparport)
    SRV - File not found [Auto] -- -- (tvtpktfilter)
    SRV - File not found [Auto] -- -- (qmofiltr)
    SRV - File not found [Auto] -- -- (pserve)
    SRV - File not found [Auto] -- -- (k750mdfl)
    SRV - File not found [On_Demand] -- -- (DAUpdaterSvc)
    SRV - File not found [Auto] -- -- (datasvr2)
    SRV - File not found [Auto] -- -- (clsched)
    SRV - File not found [Auto] -- -- (amdk77)
    SRV - [2012/02/09 23:13:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
    SRV - [2012/02/09 15:05:32 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2012/02/07 16:42:02 | 000,481,064 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/01/13 09:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2008/11/04 06:39:20 | 000,014,336 | ---- | M] (Vodafone) [Auto] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
    SRV - [2008/05/26 10:14:56 | 000,143,360 | ---- | M] (Affinegy, Inc.) [Auto] -- C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe -- (AffinegyService)
    SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\Windows\System32\YahooAUService.dll -- (knobserv)
    SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\Windows\System32\agpcpq.dll -- (delldmi)
    SRV - [2007/06/06 19:50:14 | 000,538,096 | ---- | M] ( ) [Auto] -- C:\Windows\System32\dlbtcoms.exe -- (dlbt_device)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (PCASp50)
    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand] -- -- (jbridgep)
    DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - File not found [Kernel | On_Demand] -- -- (AFGMp50)
    DRV - [2012/02/26 21:46:30 | 000,066,560 | ---- | M] () [Kernel | System] -- C:\Windows\System32\drivers\smb.sys -- (Smb)
    DRV - [2012/02/09 23:13:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2011/12/10 10:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2009/04/10 16:46:10 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS)
    DRV - [2009/01/02 08:26:04 | 000,101,504 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2008/12/13 12:37:38 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
    DRV - [2008/08/22 13:56:12 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
    DRV - [2008/08/22 13:56:08 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
    DRV - [2008/08/22 13:55:54 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
    DRV - [2008/08/22 13:55:46 | 000,007,168 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
    DRV - [2008/08/01 14:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
    DRV - [2008/06/10 15:04:26 | 000,033,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
    DRV - [2008/05/26 10:09:42 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Windows\System32\drivers\AFGSp50.sys -- (AFGSp50)
    DRV - [2007/10/16 12:14:24 | 000,256,512 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand] -- C:\Windows\System32\drivers\MRVW13B.sys -- (MRV6X32P)
    DRV - [2007/08/09 13:12:30 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
    DRV - [2006/10/18 00:44:48 | 000,007,680 | ---- | M] () [Kernel | On_Demand] -- C:\Windows\System32\drivers\ASACPI.sys -- (MTsensor)
    DRV - [2004/04/10 04:42:36 | 000,002,944 | ---- | M] (cansoft@livewiredev.com) [Kernel | Auto] -- C:\Windows\System32\mbmiodrvr.sys -- (mbmiodrvr)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\Mark_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    IE - HKU\Mark_ON_C\Software\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKU\Mark_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




    ========== FireFox ==========


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\System32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/26 08:17:58 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/13 14:24:17 | 000,000,000 | ---D | M]

    [2010/06/18 08:36:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Extensions
    [2011/06/17 08:37:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\yqgk2812.default\extensions
    [2010/06/28 18:49:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\yqgk2812.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2012/02/26 08:18:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2012/02/26 08:17:57 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/02/24 17:55:39 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2012/02/26 08:17:54 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
    [2012/02/26 08:17:54 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/02/26 08:17:54 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
    [2012/02/26 08:17:54 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
    [2012/02/26 08:17:54 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2012/02/25 23:39:06 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O4 - HKLM..\Run: [DLBTCATS] C:\Windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.DLL ()
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [Wireless Manager] C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe (Affinegy, Inc.)
    O4 - HKU\Mark_ON_C..\Run: [Steam] File not found
    O4 - HKU\UpdatusUser_ON_C..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O4 - Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Impulse Now.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe (GameStop Corp.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Mark_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Mark_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\UpdatusUser_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
    O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - File not found
    O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - File not found
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-495c-b89f-c1c34c691085/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab (CDownloadCtrl Object)
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab (MSN Photo Upload Tool)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab (Windows Live Hotmail Photo Upload Tool)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: GinaDLL - (MrvGINA.dll) - File not found
    O24 - Desktop WallPaper:
    O24 - Desktop BackupWallPaper:
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/02 02:20:44 | 127,231,689 | ---- | C] (Igor Pavlov) -- C:\Users\Mark\Desktop\OTLPENet.exe
    [2012/03/01 12:22:08 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Mark\Desktop\TDSSKiller.exe
    [2012/03/01 02:39:44 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Users\Mark\Desktop\FixTDSS.exe
    [2012/02/29 02:12:21 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Users\Mark\Desktop\boot_cleaner.exe
    [2012/02/26 18:57:34 | 000,000,000 | ---D | C] -- C:\Users\Mark\Desktop\GooredFix Backups
    [2012/02/26 18:56:55 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Users\Mark\Desktop\GooredFix.exe
    [2012/02/26 17:19:55 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
    [2012/02/26 08:16:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/02/25 23:41:16 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/02/25 23:41:11 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Local\temp
    [2012/02/25 23:25:51 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2012/02/25 21:56:27 | 000,075,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\dfsc.svs
    [2012/02/25 21:54:04 | 004,419,501 | R--- | C] (Swearware) -- C:\Users\Mark\Desktop\ComboFix.exe
    [2012/02/25 20:22:43 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/02/25 20:13:22 | 000,000,000 | ---D | C] -- C:\Users\Mark\Desktop\RK_Quarantine
    [2012/02/24 21:46:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/02/24 21:46:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/02/24 21:46:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/02/24 21:46:06 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/02/24 21:45:45 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/02/24 21:08:28 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Users\Mark\Desktop\aswMBR.exe
    [2012/02/24 18:16:02 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Mark\Desktop\dds.scr
    [2012/02/24 17:59:08 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\Malwarebytes
    [2012/02/24 17:59:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/24 17:59:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/02/24 17:59:01 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2012/02/24 17:59:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/24 17:55:52 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
    [2012/02/24 17:55:52 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
    [2012/02/24 17:55:52 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
    [2012/02/24 17:16:52 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\csrsrv.dll
    [2012/02/24 17:16:48 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
    [2012/02/24 17:16:43 | 003,602,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
    [2012/02/24 17:16:43 | 003,550,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
    [2012/02/24 17:16:38 | 000,376,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
    [2012/02/24 17:16:37 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
    [2012/02/24 17:16:37 | 000,497,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
    [2012/02/24 17:16:36 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\packager.dll
    [2012/02/24 17:16:31 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciseq.dll
    [2012/02/24 17:16:29 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
    [2012/02/24 17:16:27 | 001,259,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
    [2012/02/24 17:16:26 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
    [2012/02/24 17:16:24 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
    [2012/02/24 17:14:48 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
    [2012/02/24 17:14:48 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
    [2012/02/24 17:14:48 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
    [2012/02/24 17:14:48 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
    [2012/02/24 17:14:48 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
    [2012/02/24 17:14:48 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
    [2012/02/24 17:14:48 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
    [2012/02/24 17:14:47 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
    [2012/02/24 17:14:46 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
    [2012/02/24 17:14:46 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
    [2012/02/24 17:14:46 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
    [2012/02/24 17:14:45 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
    [2012/02/24 17:14:45 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
    [2012/02/24 17:14:45 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
    [2012/02/24 17:14:45 | 000,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
    [2012/02/24 17:14:45 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
    [2012/02/24 17:14:44 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
    [2012/02/24 17:14:44 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
    [2012/02/21 19:19:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
    [2012/02/21 19:17:58 | 000,000,000 | ---D | C] -- C:\Users\UpdatusUser
    [2012/02/21 19:15:02 | 019,443,520 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
    [2012/02/21 19:15:02 | 017,543,488 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
    [2012/02/21 19:15:02 | 010,816,832 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
    [2012/02/21 19:15:02 | 005,892,928 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
    [2012/02/21 19:15:02 | 002,517,312 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
    [2012/02/21 19:15:02 | 002,437,440 | ---- | C] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
    [2012/02/21 19:15:02 | 000,061,248 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
    [2012/02/17 17:47:00 | 000,000,000 | ---D | C] -- C:\Users\Mark\AppData\Roaming\AVG2012
    [2012/02/17 17:44:41 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
    [2012/02/17 15:58:41 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2012/02/17 15:58:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Temp
    [2007/06/06 19:50:16 | 000,386,544 | ---- | C] ( ) -- C:\Windows\System32\dlbtih.exe
    [2007/06/06 19:50:14 | 000,538,096 | ---- | C] ( ) -- C:\Windows\System32\dlbtcoms.exe
    [2007/06/06 19:50:12 | 000,382,448 | ---- | C] ( ) -- C:\Windows\System32\dlbtcfg.exe
    [2007/01/30 08:47:52 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\dlbtpmui.dll
    [2007/01/30 08:46:00 | 001,224,704 | ---- | C] ( ) -- C:\Windows\System32\dlbtserv.dll
    [2007/01/30 08:38:18 | 000,421,888 | ---- | C] ( ) -- C:\Windows\System32\dlbtcomm.dll
    [2007/01/30 08:36:30 | 000,585,728 | ---- | C] ( ) -- C:\Windows\System32\dlbtlmpm.dll
    [2007/01/30 08:35:00 | 000,397,312 | ---- | C] ( ) -- C:\Windows\System32\dlbtiesc.dll
    [2007/01/30 08:32:06 | 000,094,208 | ---- | C] ( ) -- C:\Windows\System32\dlbtpplc.dll
    [2007/01/30 08:31:08 | 000,684,032 | ---- | C] ( ) -- C:\Windows\System32\dlbtcomc.dll
    [2007/01/30 08:30:30 | 000,163,840 | ---- | C] ( ) -- C:\Windows\System32\dlbtprox.dll
    [2007/01/30 08:22:32 | 000,413,696 | ---- | C] ( ) -- C:\Windows\System32\dlbtinpa.dll
    [2007/01/30 08:21:46 | 000,995,328 | ---- | C] ( ) -- C:\Windows\System32\dlbtusb1.dll
    [2007/01/30 08:17:02 | 000,696,320 | ---- | C] ( ) -- C:\Windows\System32\dlbthbn3.dll
    [3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/02 02:34:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/03/02 02:31:06 | 000,003,792 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/03/02 02:31:06 | 000,003,792 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/03/02 02:30:17 | 127,231,689 | ---- | M] (Igor Pavlov) -- C:\Users\Mark\Desktop\OTLPENet.exe
    [2012/03/02 02:19:05 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2012/03/02 02:13:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2012/03/01 12:36:18 | 000,602,846 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/03/01 12:36:18 | 000,106,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/03/01 12:31:02 | 3488,145,408 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/01 12:31:01 | 276,892,865 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/03/01 12:25:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
    [2012/03/01 12:21:59 | 002,045,015 | ---- | M] () -- C:\Users\Mark\Desktop\tdsskiller.zip
    [2012/03/01 12:07:35 | 000,362,000 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2012/03/01 02:39:45 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Users\Mark\Desktop\FixTDSS.exe
    [2012/02/29 09:06:36 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Mark\Desktop\TDSSKiller.exe
    [2012/02/29 02:11:26 | 001,281,024 | ---- | M] () -- C:\Users\Mark\Desktop\RogueKiller.exe
    [2012/02/28 02:12:02 | 000,000,832 | ---- | M] () -- C:\Users\Mark\Desktop\WinRAR.lnk
    [2012/02/26 21:54:56 | 000,000,512 | ---- | M] () -- C:\Users\Mark\Desktop\MBR.dat
    [2012/02/26 21:46:30 | 000,066,560 | ---- | M] () -- C:\Windows\System32\drivers\smb.sys
    [2012/02/26 18:56:56 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Users\Mark\Desktop\GooredFix.exe
    [2012/02/26 17:19:58 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Mark\Desktop\OTL.exe
    [2012/02/26 01:06:39 | 000,002,032 | ---- | M] () -- C:\Users\Mark\AppData\Local\d3d9caps.dat
    [2012/02/25 23:39:06 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/02/25 23:11:39 | 000,139,264 | ---- | M] () -- C:\Users\Mark\Desktop\SystemLook.exe
    [2012/02/25 21:54:02 | 004,419,501 | R--- | M] (Swearware) -- C:\Users\Mark\Desktop\ComboFix.exe
    [2012/02/24 21:09:11 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Users\Mark\Desktop\aswMBR.exe
    [2012/02/24 18:16:05 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Mark\Desktop\dds.scr
    [2012/02/24 18:14:22 | 000,302,592 | ---- | M] () -- C:\Users\Mark\Desktop\jywt1xli.exe
    [2012/02/24 17:59:03 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/24 17:59:03 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/02/24 17:55:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
    [2012/02/24 17:55:38 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
    [2012/02/24 17:55:38 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
    [2012/02/24 17:55:38 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
    [2012/02/24 17:22:33 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
    [2012/02/21 19:19:04 | 000,000,000 | ---D | M] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
    [2012/02/12 06:52:27 | 000,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
    [2012/02/11 19:16:28 | 000,001,905 | ---- | M] () -- C:\Windows\diagwrn.xml
    [2012/02/11 19:16:28 | 000,001,905 | ---- | M] () -- C:\Windows\diagerr.xml
    [2012/02/11 19:08:17 | 000,153,088 | ---- | M] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/11 14:40:26 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
    [2012/02/09 23:13:00 | 019,443,520 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvoglv32.dll
    [2012/02/09 23:13:00 | 017,543,488 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcompiler.dll
    [2012/02/09 23:13:00 | 015,009,600 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvd3dum.dll
    [2012/02/09 23:13:00 | 010,816,832 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys
    [2012/02/09 23:13:00 | 007,713,088 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvwgf2um.dll
    [2012/02/09 23:13:00 | 005,892,928 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuda.dll
    [2012/02/09 23:13:00 | 002,517,312 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvid.dll
    [2012/02/09 23:13:00 | 002,437,440 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcuvenc.dll
    [2012/02/09 23:13:00 | 002,301,248 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvapi.dll
    [2012/02/09 23:13:00 | 001,000,256 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvdispco32.dll
    [2012/02/09 23:13:00 | 000,881,984 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvgenco32.dll
    [2012/02/09 23:13:00 | 000,061,248 | ---- | M] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
    [2012/02/09 23:13:00 | 000,008,772 | ---- | M] () -- C:\Windows\System32\nvinfo.pb
    [2012/02/09 22:02:06 | 003,881,792 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvcpl.dll
    [2012/02/09 22:00:44 | 002,719,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvsvc.dll
    [2012/02/09 22:00:26 | 000,108,352 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvmctray.dll
    [2012/02/09 22:00:26 | 000,062,272 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvshext.dll
    [2012/02/09 15:05:44 | 000,416,064 | ---- | M] () -- C:\Windows\System32\nvStreaming.exe
    [2012/02/07 20:49:14 | 002,557,112 | ---- | M] () -- C:\Users\Mark\Documents\Induction Pack 2010 V2.1.pdf
    [3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/01 12:21:57 | 002,045,015 | ---- | C] () -- C:\Users\Mark\Desktop\tdsskiller.zip
    [2012/03/01 12:07:03 | 3488,145,408 | -HS- | C] () -- C:\hiberfil.sys
    [2012/02/29 02:11:25 | 001,281,024 | ---- | C] () -- C:\Users\Mark\Desktop\RogueKiller.exe
    [2012/02/28 02:12:02 | 000,000,832 | ---- | C] () -- C:\Users\Mark\Desktop\WinRAR.lnk
    [2012/02/26 08:38:55 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
    [2012/02/26 08:13:02 | 000,000,512 | ---- | C] () -- C:\Users\Mark\Desktop\MBR.dat
    [2012/02/25 23:11:39 | 000,139,264 | ---- | C] () -- C:\Users\Mark\Desktop\SystemLook.exe
    [2012/02/24 21:46:10 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/02/24 21:46:10 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/02/24 21:46:10 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/02/24 21:46:10 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/02/24 21:46:10 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/02/24 18:14:19 | 000,302,592 | ---- | C] () -- C:\Users\Mark\Desktop\jywt1xli.exe
    [2012/02/24 17:59:03 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/21 19:15:02 | 000,008,772 | ---- | C] () -- C:\Windows\System32\nvinfo.pb
    [2012/02/12 06:06:51 | 276,892,865 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/02/09 15:05:44 | 000,416,064 | ---- | C] () -- C:\Windows\System32\nvStreaming.exe
    [2012/02/07 20:42:25 | 002,557,112 | ---- | C] () -- C:\Users\Mark\Documents\Induction Pack 2010 V2.1.pdf
    [2011/12/18 10:27:34 | 000,069,632 | ---- | C] () -- C:\Windows\UNINSTCC.EXE
    [2011/08/21 08:23:23 | 000,000,000 | ---- | C] () -- C:\Users\Mark\AppData\Local\{A847AE50-89B7-42EA-85C7-1A7112475FBB}
    [2011/04/09 12:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
    [2011/03/14 08:08:11 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2011/03/14 08:06:44 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2011/03/14 08:06:41 | 000,066,560 | ---- | C] () -- C:\Windows\System32\drivers\smb.sys
    [2010/11/09 10:10:19 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
    [2010/09/17 07:04:37 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
    [2010/08/13 10:07:43 | 000,005,097 | ---- | C] () -- C:\Windows\fred2_open_3_6_12r_INF.INI
    [2010/08/13 10:07:37 | 000,000,453 | ---- | C] () -- C:\Windows\fred2_open_3_6_12d_INF.INI
    [2010/06/29 16:36:11 | 000,004,592 | ---- | C] () -- C:\Windows\fred2_open_3_6_12_RC3r_INF.INI
    [2010/06/29 16:36:06 | 000,000,453 | ---- | C] () -- C:\Windows\fred2_open_3_6_12_RC3d_INF.INI
    [2010/06/18 08:36:40 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2009/06/15 18:32:30 | 002,260,966 | ---- | C] () -- C:\Program Files\Common Files\31.mpeg
    [2009/06/09 10:25:02 | 000,000,349 | ---- | C] () -- C:\Program Files\Common Files\04.htm
    [2009/06/03 06:18:31 | 002,546,976 | ---- | C] () -- C:\Program Files\Common Files\032.wmv
    [2009/05/29 09:59:06 | 007,759,872 | ---- | C] () -- C:\Program Files\Common Files\02.mpeg
    [2009/05/29 09:54:35 | 007,831,552 | ---- | C] () -- C:\Program Files\Common Files\01.mpeg
    [2009/05/27 20:00:23 | 007,794,688 | ---- | C] () -- C:\Program Files\Common Files\04.mpeg
    [2009/05/27 20:00:15 | 007,792,640 | ---- | C] () -- C:\Program Files\Common Files\03.mpeg
    [2009/05/05 07:02:33 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2009/04/07 07:42:58 | 000,141,006 | ---- | C] () -- C:\ProgramData\DeviceManager.xml.rc4
    [2009/03/14 15:10:33 | 000,151,448 | ---- | C] () -- C:\Windows\hpwins11.dat
    [2009/03/14 15:10:33 | 000,000,522 | ---- | C] () -- C:\Windows\hpwmdl11.dat
    [2008/08/20 10:45:46 | 000,020,270 | ---- | C] () -- C:\ProgramData\DeviceInstaller.xml
    [2008/07/31 05:01:00 | 000,000,000 | ---- | C] () -- C:\Windows\System32\ToolBx.dll
    [2008/07/07 18:01:41 | 000,022,328 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
    [2008/07/07 18:01:40 | 000,022,328 | ---- | C] () -- C:\Users\Mark\AppData\Roaming\PnkBstrK.sys
    [2008/07/07 18:01:14 | 000,103,736 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
    [2008/07/07 18:01:13 | 000,674,600 | ---- | C] () -- C:\Windows\System32\pbsvc.exe
    [2008/07/07 18:01:13 | 000,066,872 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
    [2008/06/25 19:33:57 | 000,094,208 | ---- | C] () -- C:\Windows\System32\GTW32N50.dll
    [2008/06/25 19:25:21 | 000,002,898 | ---- | C] () -- C:\Windows\System32\WLAN.INI
    [2008/06/18 15:45:04 | 000,149,504 | ---- | C] () -- C:\Windows\UNWISE.EXE
    [2008/03/26 08:27:15 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
    [2008/03/07 11:03:14 | 000,013,312 | ---- | C] () -- C:\Windows\System32\CallSimReader.dll
    [2008/03/07 11:02:24 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SimReader.dll
    [2008/03/06 06:34:02 | 000,000,529 | ---- | C] () -- C:\Windows\eReg.dat
    [2008/03/01 20:24:17 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
    [2008/01/18 17:25:32 | 000,153,088 | ---- | C] () -- C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/01/18 17:05:28 | 000,007,680 | ---- | C] () -- C:\Windows\System32\drivers\ASACPI.sys
    [2008/01/18 17:05:23 | 000,003,781 | ---- | C] () -- C:\Windows\Ascd_tmp.ini
    [2008/01/18 17:05:07 | 000,010,288 | ---- | C] () -- C:\Windows\System32\drivers\ASUSHWIO.SYS
    [2008/01/18 17:01:51 | 000,002,032 | ---- | C] () -- C:\Users\Mark\AppData\Local\d3d9caps.dat
    [2007/12/12 07:44:44 | 000,466,944 | ---- | C] () -- C:\Windows\System32\RemoveDevice.dll
    [2007/02/19 01:20:28 | 000,106,496 | ---- | C] () -- C:\Windows\System32\dlbtinsr.dll
    [2007/02/19 01:20:24 | 000,036,864 | ---- | C] () -- C:\Windows\System32\dlbtcur.dll
    [2007/02/19 01:20:02 | 000,135,168 | ---- | C] () -- C:\Windows\System32\dlbtjswr.dll
    [2007/02/19 01:17:06 | 000,176,128 | ---- | C] () -- C:\Windows\System32\dlbtinsb.dll
    [2007/02/19 01:17:00 | 000,086,016 | ---- | C] () -- C:\Windows\System32\dlbtcub.dll
    [2007/02/19 01:16:52 | 000,073,728 | ---- | C] () -- C:\Windows\System32\dlbtcu.dll
    [2007/02/19 01:16:48 | 000,159,744 | ---- | C] () -- C:\Windows\System32\dlbtins.dll
    [2007/02/19 01:15:34 | 000,434,176 | ---- | C] () -- C:\Windows\System32\dlbtutil.dll
    [2007/02/07 11:57:16 | 000,344,064 | ---- | C] () -- C:\Windows\System32\dlbtcoin.dll
    [2007/01/22 01:18:28 | 000,069,632 | ---- | C] () -- C:\Windows\System32\dlbtcfg.dll
    [2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:47:37 | 000,362,000 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 05:33:01 | 000,602,846 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,106,292 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
    [2005/08/18 04:26:46 | 000,040,960 | ---- | C] () -- C:\Windows\System32\dlbtvs.dll
    [2005/05/25 07:07:26 | 000,061,440 | ---- | C] () -- C:\Windows\System32\dlbtcnv4.dll
    [2003/01/07 10:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
    [2000/01/27 19:00:00 | 000,061,440 | ---- | C] () -- C:\Windows\System32\wrkgadm.exe
    [2000/01/27 19:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

    ========== LOP Check ==========

    [2010/08/12 10:17:36 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Amazon
    [2008/04/10 10:37:16 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Atari
    [2012/02/17 17:47:00 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\AVG2012
    [2010/10/31 08:39:48 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Bioshock
    [2011/05/14 20:15:25 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Bioshock2
    [2009/09/18 06:00:18 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Birdstep Technology
    [2009/02/22 21:21:29 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Command & Conquer 3 Tiberium Wars
    [2008/12/13 12:42:42 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\DAEMON Tools
    [2011/12/18 10:20:27 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\DAEMON Tools Lite
    [2008/12/13 12:42:42 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\DAEMON Tools Pro
    [2008/03/01 15:39:09 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\eMule
    [2009/07/19 15:44:49 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\kompozer.net
    [2011/01/15 06:53:58 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Softland
    [2009/06/09 16:01:50 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Stardock
    [2011/03/15 09:37:41 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\SystemRequirementsLab
    [2009/03/04 05:47:41 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\The Creative Assembly
    [2009/08/30 09:53:43 | 000,000,000 | ---D | M] -- C:\Users\Mark\AppData\Roaming\Vodafone
    [2011/05/28 13:48:16 | 000,000,000 | ---D | M] -- C:\ProgramData\Affinegy
    [2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Application Data
    [2012/02/24 22:09:34 | 000,000,000 | ---D | M] -- C:\ProgramData\AVG2012
    [2012/02/17 16:25:45 | 000,000,000 | ---D | M] -- C:\ProgramData\avg9
    [2009/11/15 11:06:20 | 000,000,000 | ---D | M] -- C:\ProgramData\BioWare
    [2009/09/18 06:00:32 | 000,000,000 | ---D | M] -- C:\ProgramData\Birdstep Technology
    [2011/03/15 09:17:06 | 000,000,000 | -H-D | M] -- C:\ProgramData\Common Files
    [2008/12/13 12:41:58 | 000,000,000 | ---D | M] -- C:\ProgramData\DAEMON Tools Lite
    [2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Desktop
    [2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Documents
    [2010/12/05 14:56:41 | 000,000,000 | ---D | M] -- C:\ProgramData\Electronic Arts
    [2008/03/01 15:39:20 | 000,000,000 | ---D | M] -- C:\ProgramData\eMule
    [2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Favorites
    [2011/06/25 20:19:28 | 000,000,000 | ---D | M] -- C:\ProgramData\Gibraltar
    [2009/06/09 17:14:51 | 000,000,000 | ---D | M] -- C:\ProgramData\Ironclad Games
    [2012/02/24 21:42:04 | 000,000,000 | ---D | M] -- C:\ProgramData\MFAData
    [2008/06/15 10:38:50 | 000,000,000 | ---D | M] -- C:\ProgramData\PopCap Games
    [2008/06/24 14:36:31 | 000,000,000 | ---D | M] -- C:\ProgramData\Stardock
    [2006/11/02 08:02:03 | 000,000,000 | -HSD | M] -- C:\ProgramData\Start Menu
    [2008/06/15 10:38:24 | 000,000,000 | ---D | M] -- C:\ProgramData\Steam
    [2012/02/17 15:58:27 | 000,000,000 | ---D | M] -- C:\ProgramData\Temp
    [2006/11/02 08:02:04 | 000,000,000 | -HSD | M] -- C:\ProgramData\Templates
    [2009/08/30 09:55:05 | 000,000,000 | ---D | M] -- C:\ProgramData\Vodafone
    [2008/06/24 14:36:41 | 000,000,000 | -H-D | M] -- C:\ProgramData\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
    [2012/03/02 02:34:20 | 000,032,602 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========
    Pr011, Mar 2, 2012
    #50

  11. Pr011 Newcomer, in training Posts: 66

    ========== Custom Scans ==========



    < MD5 for: DFSC.SYS >
    [2011/04/14 09:59:03 | 000,075,264 | ---- | M] () MD5=048D6FEC8033B3C0ED624693EC9ADA2B -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys
    [2009/04/10 16:14:14 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=218D8AE46C88E82014F5D73D0236D9B2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18005_none_8985a6e9e33db02a\dfsc.sys
    [2011/04/14 09:36:03 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=3A3436F7DFE0E0C58CD5C3B6C9F21634 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys
    [2008/01/19 00:28:20 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=9E635AE5E8AD93E2B5989E2E23679F97 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18000_none_879a2ddde61be4de\dfsc.sys
    [2011/04/14 09:24:14 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=A3E9FA213F443AC77C7746119D13FEEC -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18633_none_877cca5be63173a0\dfsc.sys
    [2012/02/29 02:07:45 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=A7179DE59AE269AB70345527894CCD7C -- C:\Windows\System32\drivers\dfsc.sys
    [2006/11/02 03:31:04 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=A7179DE59AE269AB70345527894CCD7C -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6000.16386_none_85636be1e930d40a\dfsc.sys
    [2011/04/13 08:22:40 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=E20FB30D720810646ED24FB7CA9899A2 -- C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys

    < MD5 for: EXPLORER.EXE >
    [2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
    [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
    [2008/10/29 22:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
    [2008/01/20 12:12:39 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=6D06CD98D954FE87FB2DB8108793B399 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
    [2008/01/20 12:12:39 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=BD06F0BF753BC704B653C3A50F89D362 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
    [2009/04/10 18:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\ERDNT\cache\explorer.exe
    [2009/04/10 18:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
    [2009/04/10 18:27:38 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
    [2008/10/27 21:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
    [2006/11/02 04:45:07 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=FD8C53FB002217F6F888BCF6F5D7084D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe
    [2008/01/19 02:33:10 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2006/11/02 04:45:47 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=10DA15933D582D2FEDCF705EFE394B09 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe
    [2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\ERDNT\cache\svchost.exe
    [2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
    [2008/01/19 02:33:32 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe
    [2012/01/13 09:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\ERDNT\cache\userinit.exe
    [2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
    [2008/01/19 02:33:33 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
    [2006/11/02 04:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2012/01/13 09:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    [2009/04/10 18:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\ERDNT\cache\winlogon.exe
    [2009/04/10 18:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
    [2009/04/10 18:28:14 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
    [2006/11/02 04:45:57 | 000,308,224 | ---- | M] (Microsoft Corporation) MD5=9F75392B9128A91ABAFB044EA350BAAD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe
    [2008/01/19 02:33:37 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe
    < End of report >
    Pr011, Mar 2, 2012
    #51

  12. Pr011 Newcomer, in training Posts: 66

    Incidentally the program did not ask me to load the remote registry, just for info in case it;s a problem.
    Pr011, Mar 2, 2012
    #52

  13. Broni Malware Annihilator Posts: 39,349   +175

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\Windows\System32\YahooAUService.dll -- (knobserv)
SRV - [2008/01/19 02:33:32 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto] -- C:\Windows\System32\agpcpq.dll -- (delldmi)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O4 - HKU\Mark_ON_C..\Run: [Steam] File not found
[2012/03/01 12:25:29 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd


:Services

:Reg

:Files
c:\windows\system32\drivers\dfsc.sys|C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys /replace
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys

:Commands
[purity]
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
    Broni, Mar 2, 2012
    #53

  14. Pr011 Newcomer, in training Posts: 66

    I ran the tool but the machine would not shut down or restart, it just continued to run, the log popped up but disappeared sharpish, I think that might have been an error or my part but not sure.

    I did a hard reboot and it has loaded Reatogo-x-pe. The log has not displayed... where would the log be located?
    Pr011, Mar 2, 2012
    #54

  15. Broni Malware Annihilator Posts: 39,349   +175

    Please redo....
    Broni, Mar 2, 2012
    #55

  16. Pr011 Newcomer, in training Posts: 66

    I got the log this time, the machine hung whilst shutting down and had to be hard rebooted again. Log follows:


    ========== OTL ==========
    Service\Driver key knobserv not found.
    File C:\Windows\System32\YahooAUService.dll not found.
    Service\Driver key delldmi not found.
    File C:\Windows\System32\agpcpq.dll not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
    Registry value HKEY_USERS\Mark_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Steam not found.
    File C:\Windows\System32\dds_trash_log.cmd not found.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File c:\windows\system32\drivers\dfsc.sys successfully replaced with C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys
    File\Folder C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys not found.
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 03032012_034720
    Pr011, Mar 2, 2012
    #56

  17. Broni Malware Annihilator Posts: 39,349   +175

    Try to start computer normally.
    Broni, Mar 2, 2012
    #57

  18. Pr011 Newcomer, in training Posts: 66

    The machine has booted normally.
    Pr011, Mar 2, 2012
    #58

  19. Broni Malware Annihilator Posts: 39,349   +175

    Cool beans :)

    Give me a minute to see where we're at....
    Broni, Mar 2, 2012
    #59

  20. Pr011 Newcomer, in training Posts: 66

    Ok, thanks for all the help!!
    Pr011, Mar 2, 2012
    #60
Page 3 of 5

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.