Solved Confikcer virus help on computer touch

Status
Not open for further replies.

al davis

Posts: 232   +7
I have the initial set of files from a computer on the same network as the one Broni is helping me with (conficker virus)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3700.1000

10/17/2010 7:25:37 AM
mbam-log-2010-10-17 (07-25-37).txt

Scan type: Full scan (C:\|)
Objects scanned: 100706
Time elapsed: 14 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-17 08:24:28
Windows 5.0.2195 Service Pack 4
Running: bco3fvo5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtcipoc.sys


---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\svchost.exe (*** hidden *** ) [AUTO] alyfo <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@DisplayName Installer Microsoft
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo@Description Manages network configuration by registering and updating IP addresses and DNS names.
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\alyfo\Parameters@ServiceDll C:\WINNT\system32\dhvml.dll
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@DisplayName Installer Microsoft
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo@Description Manages network configuration by registering and updating IP addresses and DNS names.
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\alyfo\Parameters@ServiceDll C:\WINNT\system32\dhvml.dll

---- EOF - GMER 1.0.15 ----
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 10/17/2010 2:08:49 AM (6 hours ago)

Motherboard: Computer Dynamics | |
Processor: Intel Pentium III processor | Slot 1 | 846/mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 18 GiB total, 15.215 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {C671678C-82C1-43F3-D700-0049433E9A4B}
Description: WinDriver
Device ID: ROOT\JUNGO\0001
Manufacturer: Jungo
Name: WinDriver
PNP Device ID: ROOT\JUNGO\0001
Service: WinDriver6

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

Class GUID: {4D36E977-E325-11CE-BFC1-08002BE10318}
Description: Intel PCIC compatible PCMCIA controller
Device ID: ROOT\PCMCIA\0000
Manufacturer: Intel
Name: Intel PCIC compatible PCMCIA controller
PNP Device ID: ROOT\PCMCIA\0000
Service: pcmcia

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

DU Meter
Malwarebytes' Anti-Malware
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 2.0
Universal Pointer Device Driver
WebFldrs
Windows Installer 3.0 (KB884016)
Xilinx ISE 6

==== End Of File ===========================
 
DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 8:45:34.92 on Sun 10/17/2010
Internet Explorer: 5.00.3700.1000
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.44 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\UPDD\TBSysTry.exe
C:\virus_et_al\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.msn.com
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [CHIPSStart] CHPSTART.EXE
mRun: [CHIPSPtrt] CHPSPTRT.EXE
mRun: [TBSysTry] c:\program files\updd\TBSysTry.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4

============= SERVICES / DRIVERS ===============

R?2 alyfo;Installer Microsoft;c:\winnt\system32\svchost.exe -k netsvcs [1979-12-31 7952]
R0 TBUPDDMP;TBUPDDMP;\SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [?]
R1 TBUPDDWD;TBUPDDWD;c:\winnt\system32\drivers\TBUPDDWD.SYS [2003-2-27 261197]
R3 chips;chips;c:\winnt\system32\drivers\chipsm5.sys [2001-4-16 96811]
R3 E100E;E100E;c:\winnt\system32\drivers\e100ent.sys [2001-4-16 25360]
R3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [2004-1-15 7884]
S3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [2004-1-15 11811]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2001-4-16 9104]

=============== Created Last 30 ================

2010-10-17 13:45:37 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_284.dat
2010-10-17 12:06:25 0 d-----r- C:\virus_et_al
2010-10-15 19:55:44 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-10-15 19:55:36 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-10-15 19:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-15 19:55:33 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-10-15 19:55:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 19:54:47 6153352 ----a-w- C:\mbam-setup-1.46.exe

==================== Find3M ====================

2001-04-16 18:02:36 271 ---h--w- c:\program files\desktop.ini
2001-04-16 18:02:36 21952 ---h--w- c:\program files\folder.htt
1999-12-07 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 8:45:48.22 ===============
 
You posted same logs again, which I removed.
Please, read my previous reply.
 
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
when I try to run MBRCheck I getting a persistant message
'not a valid win32 application'. I've tried the download 3 times.
 
Run this instead...

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
I was not able to capture the text from the window but I saw this logfile on the desktop that appears to have the info that was on the screen in its last 8 lines.

.\debug.cpp(238) : Debug log started at 20.11.2010 - 15:25:52
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.0
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x80400000 0x001a3a00 "\WINNT\System32\ntoskrnl.exe"
.\debug.cpp(256) : 0x80062000 0x000174e0 "\WINNT\System32\hal.dll"
.\debug.cpp(256) : 0xf7410000 0x00003000 "\WINNT\System32\BOOTVID.DLL"
.\debug.cpp(256) : 0xf7000000 0x0000f000 "pci.sys"
.\debug.cpp(256) : 0xf7010000 0x0000c000 "isapnp.sys"
.\debug.cpp(256) : 0xf7500000 0x00002000 "intelide.sys"
.\debug.cpp(256) : 0xf7280000 0x00006000 "\WINNT\System32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf7288000 0x00008000 "MountMgr.sys"
.\debug.cpp(256) : 0xbffc8000 0x0001d000 "ftdisk.sys"
.\debug.cpp(256) : 0xf7502000 0x00002000 "Diskperf.sys"
.\debug.cpp(256) : 0xf75c8000 0x00001000 "\WINNT\System32\Drivers\WMILIB.SYS"
.\debug.cpp(256) : 0xf7504000 0x00002000 "dmload.sys"
.\debug.cpp(256) : 0xbffa6000 0x00022000 "dmio.sys"
.\debug.cpp(256) : 0xf7414000 0x00003000 "PartMgr.sys"
.\debug.cpp(256) : 0xbff90000 0x00016000 "atapi.sys"
.\debug.cpp(256) : 0xf7290000 0x00008000 "disk.sys"
.\debug.cpp(256) : 0xf7020000 0x00009000 "\WINNT\System32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xbff7e000 0x00012000 "KSecDD.sys"
.\debug.cpp(256) : 0xf7030000 0x00010000 "TBUPDDMP.SYS"
.\debug.cpp(256) : 0xbfefb000 0x00083000 "Ntfs.sys"
.\debug.cpp(256) : 0xbfed1000 0x0002a000 "NDIS.sys"
.\debug.cpp(256) : 0xbfebb000 0x00016000 "Mup.sys"
.\debug.cpp(256) : 0xf7298000 0x00006000 "agp440.sys"
.\debug.cpp(256) : 0xbfe67000 0x00023000 "\SystemRoot\system32\drivers\windrvr6.sys"
.\debug.cpp(256) : 0xf75cb000 0x00001000 "\SystemRoot\System32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xf7050000 0x0000d000 "\SystemRoot\System32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xf7470000 0x00003000 "\SystemRoot\System32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xbfe50000 0x00017000 "\SystemRoot\System32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xf7480000 0x00004000 "\SystemRoot\System32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xf7060000 0x0000c000 "\SystemRoot\System32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xf72c0000 0x00005000 "\SystemRoot\System32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xf72d0000 0x00005000 "\SystemRoot\System32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xf7070000 0x0000f000 "\SystemRoot\System32\DRIVERS\parallel.sys"
.\debug.cpp(256) : 0xf7080000 0x0000d000 "\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xbfe39000 0x00017000 "\SystemRoot\System32\DRIVERS\chipsm5.sys"
.\debug.cpp(256) : 0xf7310000 0x00005000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xf72f8000 0x00008000 "\SystemRoot\System32\DRIVERS\uhcd.sys"
.\debug.cpp(256) : 0xf7320000 0x00007000 "\SystemRoot\System32\DRIVERS\e100ent.sys"
.\debug.cpp(256) : 0xbfe1d000 0x0001c000 "\SystemRoot\System32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xf75cc000 0x00001000 "\SystemRoot\System32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xbfdf2000 0x0002b000 "\SystemRoot\System32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xf7090000 0x0000c000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xf7330000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xf7340000 0x00007000 "\SystemRoot\System32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xf70a0000 0x00010000 "\SystemRoot\System32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xf7498000 0x00004000 "\SystemRoot\System32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xf7358000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
.\debug.cpp(256) : 0xf7368000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf70b0000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xf7378000 0x00007000 "\SystemRoot\System32\Drivers\EFS.SYS"
.\debug.cpp(256) : 0xf750c000 0x00002000 "\SystemRoot\system32\drivers\mlnxfltr.sys"
.\debug.cpp(256) : 0xf70c0000 0x0000a000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xf7398000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
.\debug.cpp(256) : 0xf7514000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xf75d0000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xf75d1000 0x00001000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xbf985000 0x00025000 "\SystemRoot\System32\Drivers\TBUPDDWD.SYS"
.\debug.cpp(256) : 0xf74d0000 0x00004000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xf75d2000 0x00001000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xf73d0000 0x00006000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xf70e0000 0x00009000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xf751c000 0x00002000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xbf913000 0x00052000 "\SystemRoot\System32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xf70f0000 0x00009000 "\SystemRoot\System32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xf73e8000 0x00008000 "\SystemRoot\System32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xf7100000 0x00009000 "\SystemRoot\System32\Drivers\aswTdi.SYS"
.\debug.cpp(256) : 0xbf8e9000 0x0002a000 "\SystemRoot\System32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xf7110000 0x00009000 "\SystemRoot\System32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xbf8be000 0x0002b000 "\SystemRoot\System32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xbf845000 0x00067000 "\SystemRoot\System32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xbf82e000 0x00017000 "\SystemRoot\System32\Drivers\aswSP.SYS"
.\debug.cpp(256) : 0xf7408000 0x00005000 "\SystemRoot\System32\Drivers\Aavmker4.SYS"
.\debug.cpp(256) : 0xf75d3000 0x00001000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf7f0000 0x00016000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xa0000000 0x001a4000 "\??\C:\WINNT\system32\win32k.sys"
.\debug.cpp(256) : 0xbf7be000 0x00032000 "\SystemRoot\System32\chipsd5.dll"
.\debug.cpp(256) : 0xbedc0000 0x0001e000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xf7556000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
.\debug.cpp(256) : 0xbed5b000 0x00015000 "\SystemRoot\System32\Drivers\aswMon.SYS"
.\debug.cpp(256) : 0xbf71e000 0x00009000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xbec07000 0x0003c000 "\SystemRoot\System32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xbeda0000 0x00004000 "\SystemRoot\System32\drivers\XPC4DRVR.SYS"
.\debug.cpp(256) : 0xbeacc000 0x00023000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
.\debug.cpp(256) : 0xbe99c000 0x00010000 "\SystemRoot\System32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xbe924000 0x00004000 "\SystemRoot\System32\Drivers\aswRdr.SYS"
.\debug.cpp(256) : 0x77f80000 0x0007b000 "\WINNT\system32\NTDLL.DLL"
.\debug.cpp(263) : **********************************************
.\debug.cpp(459) : NtOpenDirectoryObject() fails; status: 0xc0000034
.\debug.cpp(460) : LogPrintDeviceObjects(): Error while requesting device objects info
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
.\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
.\boot_cleaner.cpp(373) : ProcessPhysicalDisc(): DeviceIoControl() ERROR 1
.\boot_cleaner.cpp(1055) : ERROR: No physical disks found
.\boot_cleaner.cpp(1151) : Done;
 
ComboFix 10-11-21.02 - Administrator 11/22/2010 7:24.1.1 - x86
Running from: c:\virus_et_al\ComboFix.exe
.
/wow section - STAGE 10


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 04:46 . 2010-10-15 19:54 6153352 ----a-w- C:\mbam-setup-1.46.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CHIPSStart"="CHPSTART.EXE" [1999-12-03 40960]
"CHIPSPtrt"="CHPSPTRT.EXE" [1999-12-03 196608]
"TBSysTry"="c:\program files\UPDD\TBSysTry.exe" [2000-07-19 295936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

2;2 alyfo;Installer Microsoft;c:\winnt\system32\svchost.exe [x]
R3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [2004-01-15 11811]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\DRIVERS\NtApm.sys [1999-09-25 9104]
S0 TBUPDDMP;TBUPDDMP;c:\winnt\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [x]
S1 aswSP;avast! Self Protection; [x]
S1 TBUPDDWD;TBUPDDWD;c:\winnt\System32\Drivers\TBUPDDWD.SYS [2000-07-19 261197]
S2 aswMon;avast! Standard Shield Support; [x]
S3 chips;chips;c:\winnt\system32\DRIVERS\chipsm5.sys [1999-12-03 96811]
S3 E100E;E100E;c:\winnt\system32\DRIVERS\e100ent.sys [1999-05-27 25360]
S3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [2004-01-15 7884]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
alyfo
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 07:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alyfo]
"ServiceDll"="c:\winnt\system32\dhvml.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2010-11-22 07:38:38
ComboFix-quarantined-files.txt 2010-11-22 12:38

Pre-Run: 15,973,901,824 bytes free
Post-Run: 15,951,243,264 bytes free

- - End Of File - - FE47C5B2AFF75288F2ED3C39949902EB
 
Running from: c:\virus_et_al\ComboFix.exe
My instructions say to run Combofix from the desktop.
Please, move the file to the correct location.

==========================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\winnt\system32\dhvml.dll

Driver::
alyfo

NetSvc::
alyfo


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alyfo]


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
omboFix 10-11-22.05 - Administrator 11/23/2010 7:33.3.1 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\winnt\system32\dhvml.dll"
.
/wow section - STAGE 10


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALYFO
-------\Service_alyfo


((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 04:46 . 2010-10-15 19:54 6153352 ----a-w- C:\mbam-setup-1.46.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"CHIPSStart"="CHPSTART.EXE" [1999-12-03 40960]
"CHIPSPtrt"="CHPSPTRT.EXE" [1999-12-03 196608]
"TBSysTry"="c:\program files\UPDD\TBSysTry.exe" [2000-07-19 295936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

R0 TBUPDDMP;TBUPDDMP;\SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\TBUPDDMP.SYS [?]
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [10/21/2010 8:11 AM 114768]
R1 TBUPDDWD;TBUPDDWD;c:\winnt\system32\drivers\TBUPDDWD.SYS [2/27/2003 1:34 PM 261197]
R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [10/21/2010 8:11 AM 93424]
R3 chips;chips;c:\winnt\system32\drivers\chipsm5.sys [4/16/2001 2:25 PM 96811]
R3 E100E;E100E;c:\winnt\system32\drivers\e100ent.sys [4/16/2001 1:45 PM 25360]
R3 mlnxfltr;mlnxfltr;c:\winnt\system32\drivers\mlnxfltr.sys [1/15/2004 10:46 AM 7884]
S3 MultiLINX;MultiLINX;c:\winnt\system32\drivers\mltlnx.sys [1/15/2004 10:46 AM 11811]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [4/16/2001 7:47 AM 9104]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {E82024DE-0A46-46EF-BC60-6533E762E89D} = 64.7.11.2,216.200.176.4
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-23 07:51
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_204.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1064)
c:\winnt\AppPatch\AcLayers.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2010-11-23 07:54:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-23 12:54
ComboFix2.txt 2010-11-23 12:18
ComboFix3.txt 2010-11-22 12:38

Pre-Run: 15,968,823,296 bytes free
Post-Run: 15,927,565,312 bytes free

- - End Of File - - 452D53C79B35345ECFF6AD1C525DEF6D
 
Looks good :)

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL logfile created on: 11/24/2010 6:44:16 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3700.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

128.00 Mb Total Physical Memory | 3.00 Mb Available Physical Memory | 2.00% Memory free
495.00 Mb Paging File | 180.00 Mb Available in Paging File | 36.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 17.91 Gb Total Space | 14.85 Gb Free Space | 82.93% Space Free | Partition Type: NTFS

Computer Name: TOUCHSCNRTM-II | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/11/22 07:01:43 | 002,752,560 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2003/06/19 12:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\mstask.exe
PRC - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\regsvc.exe
PRC - [2000/07/19 02:50:00 | 000,295,936 | ---- | M] () -- C:\Program Files\UPDD\TBSYSTRY.EXE


========== Modules (SafeList) ==========

MOD - [2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2003/06/19 12:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/19 12:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [1999/12/07 07:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2003/06/19 12:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/19 12:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/19 12:05:04 | 000,119,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\mstask.exe -- (Schedule)
SRV - [2003/06/19 12:05:04 | 000,094,992 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\FAXSVC.EXE -- (Fax)
SRV - [2003/06/19 12:05:04 | 000,068,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\regsvc.exe -- (RemoteRegistry)
SRV - [2003/06/19 12:05:04 | 000,022,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\drivers\DMusic.sys -- (DMusic)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2009/11/24 18:51:09 | 000,093,424 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINNT\System32\drivers\aswmon.sys -- (aswMon)
DRV - [2009/11/24 18:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINNT\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 18:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINNT\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2004/01/15 12:46:56 | 000,256,568 | ---- | M] (Jungo) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\windrvr6.sys -- (WinDriver6)
DRV - [2004/01/15 12:46:55 | 000,014,336 | ---- | M] (Xilinx, Inc.) [Kernel | Auto | Running] -- C:\WINNT\System32\drivers\XPC4DRVR.SYS -- (XilinxPC4Driver)
DRV - [2004/01/15 10:46:20 | 000,011,811 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mltlnx.sys -- (MultiLINX)
DRV - [2004/01/15 10:46:20 | 000,007,884 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\mlnxfltr.sys -- (mlnxfltr)
DRV - [2003/06/19 12:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/19 12:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/19 12:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/19 12:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/19 12:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/19 12:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/19 12:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2000/07/19 02:50:00 | 000,261,197 | ---- | M] () [Kernel | System | Running] -- C:\WINNT\System32\Drivers\TBUPDDWD.SYS -- (TBUPDDWD)
DRV - [2000/07/19 02:50:00 | 000,055,304 | ---- | M] () [Kernel | Boot | Running] -- C:\WINNT\System32\Drivers\TBUPDDMP.SYS -- (TBUPDDMP)
DRV - [1999/12/07 07:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [1999/12/07 07:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [1999/12/03 01:39:00 | 000,096,811 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chipsm5.sys -- (chips)
DRV - [1999/09/25 05:36:48 | 000,009,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\NtApm.sys -- (NtApm)
DRV - [1999/05/27 15:13:40 | 000,025,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e100ent.sys -- (E100E)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/11/23 07:46:56 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx ()
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CHIPSPtrt] C:\WINNT\System32\chpsptrt.exe ()
O4 - HKLM..\Run: [CHIPSStart] C:\WINNT\System32\chpstart.exe ()
O4 - HKLM..\Run: [TBSysTry] C:\Program Files\UPDD\TBSYSTRY.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\related.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.43.10 192.168.10.25 192.168.10.21
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\application/octet-stream - No CLSID value found
O18 - Protocol\Filter\application/x-complus - No CLSID value found
O18 - Protocol\Filter\application/x-msdownload - No CLSID value found
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found

Drivers32: aux - C:\WINNT\System32\mmdrv.dll (Microsoft Corporation)
Drivers32: aux1 - File not found
Drivers32: aux2 - File not found
Drivers32: aux3 - File not found
Drivers32: aux4 - File not found
Drivers32: aux5 - File not found
Drivers32: aux6 - File not found
Drivers32: aux7 - File not found
Drivers32: aux8 - File not found
Drivers32: aux9 - File not found
Drivers32: midi1 - File not found
Drivers32: midi2 - File not found
Drivers32: midi3 - File not found
Drivers32: midi4 - File not found
Drivers32: midi5 - File not found
Drivers32: midi6 - File not found
Drivers32: midi7 - File not found
Drivers32: midi8 - File not found
Drivers32: midi9 - File not found
Drivers32: mixer1 - File not found
Drivers32: mixer2 - File not found
Drivers32: mixer3 - File not found
Drivers32: mixer4 - File not found
Drivers32: mixer5 - File not found
Drivers32: mixer6 - File not found
Drivers32: mixer7 - File not found
Drivers32: mixer8 - File not found
Drivers32: mixer9 - File not found
Drivers32: msacm.iac2 - C:\WINNT\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.lhacm - C:\WINNT\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.trspch - C:\WINNT\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINNT\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINNT\System32\ir32_32.dll ()
Drivers32: vidc.iv50 - C:\WINNT\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - File not found
Drivers32: wave2 - File not found
Drivers32: wave3 - File not found
Drivers32: wave4 - File not found
Drivers32: wave5 - File not found
Drivers32: wave6 - File not found
Drivers32: wave7 - File not found
Drivers32: wave8 - File not found
Drivers32: wave9 - File not found
Drivers32: wdmaud.drv - wdmaud.drv File not found
SystemRestore not available.

========== Files/Folders - Created Within 30 Days ==========

[2010/11/24 06:43:09 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/23 07:41:34 | 000,000,000 | ---D | C] -- C:\WINNT\temp
[2010/11/23 07:28:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2010/11/22 07:19:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2010/11/22 07:19:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2010/11/22 07:19:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2010/11/22 07:19:00 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2010/11/22 07:18:43 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/11/20 10:23:31 | 000,083,968 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe

========== Files - Modified Within 30 Days ==========

[2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/11/23 13:26:23 | 000,742,352 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2010/11/23 08:53:08 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_200.dat
[2010/11/23 07:52:59 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
[2010/11/23 07:46:56 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2010/11/23 07:20:50 | 000,000,405 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to virus_et_al.lnk
[2010/11/23 07:02:27 | 003,914,095 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/11/22 07:06:13 | 000,002,626 | ---- | M] () -- C:\WINNT\System32\CONFIG.NT
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINNT\MBR.exe

========== Files Created - No Company Name ==========

[2010/11/23 08:53:08 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_200.dat
[2010/11/23 07:52:59 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
[2010/11/22 07:19:08 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2010/11/22 07:19:08 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2010/11/22 07:19:08 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
[2010/11/22 07:19:08 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2010/11/22 07:19:08 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2003/02/27 13:34:42 | 000,000,012 | ---- | C] () -- C:\WINNT\wininit.ini
[2003/02/27 13:34:40 | 000,261,197 | ---- | C] () -- C:\WINNT\System32\drivers\TBUPDDWD.SYS
[2003/02/27 13:34:40 | 000,055,304 | ---- | C] () -- C:\WINNT\System32\drivers\TBUPDDMP.SYS
[2001/04/16 14:24:26 | 000,001,299 | ---- | C] () -- C:\WINNT\System32\Oeminfo.ini
[2001/04/16 13:02:36 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2001/04/16 07:42:57 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
[1979/12/31 19:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1979/12/31 19:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[1979/12/31 19:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[1979/12/31 19:00:00 | 000,001,505 | ---- | C] () -- C:\WINNT\System32\faxperf.ini
[1979/12/31 19:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini

========== LOP Check ==========

[2005/06/28 12:06:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hagel Technologies

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/02/21 08:29:46 | 000,000,007 | ---- | M] () -- C:\ahs-lab
[2006/01/10 13:33:21 | 000,737,361 | ---- | M] () -- C:\als.mcs
[2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
[2001/04/17 10:24:41 | 000,000,192 | -HS- | M] () -- C:\boot.ini
[2001/03/26 06:45:28 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2010/11/23 07:55:09 | 000,004,545 | ---- | M] () -- C:\ComboFix.txt
[2001/04/16 13:04:20 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
[2006/09/11 13:19:20 | 000,737,361 | ---- | M] () -- C:\download_9_11.mcs
[2001/04/16 13:04:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/09/30 23:46:40 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.46.exe
[2001/04/16 13:04:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2007/08/23 12:45:32 | 000,034,724 | RHS- | M] () -- C:\NTDETECT.COM
[2007/08/23 12:45:32 | 000,214,432 | RHS- | M] () -- C:\ntldr
[2010/11/24 06:27:24 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
[2006/08/29 07:57:59 | 000,000,000 | ---- | M] () -- C:\pep.txt
[2005/08/04 12:00:11 | 000,921,654 | ---- | M] () -- C:\piaggio.bmp
[2008/01/31 11:06:43 | 000,000,012 | ---- | M] () -- C:\pipename.txt
[2006/08/23 14:51:27 | 000,000,020 | ---- | M] () -- C:\shut.bat
[2005/02/02 09:35:07 | 000,737,361 | ---- | M] () -- C:\tac_2_2_934.mcs
[2005/10/04 10:14:43 | 000,737,361 | ---- | M] () -- C:\TAC_PreScanClock_2005104.mcs
[2005/07/18 14:13:07 | 000,737,361 | ---- | M] () -- C:\tac_pre_20050712.mcs
[2006/01/09 09:40:08 | 000,737,361 | ---- | M] () -- C:\tac_pre_sscl3.mcs
[2005/05/06 02:30:56 | 000,155,701 | ---- | M] () -- C:\WinPowerOff.exe

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2001/04/16 13:03:19 | 000,000,067 | -HS- | M] () -- C:\WINNT\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2003/06/19 12:05:04 | 000,006,928 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\spool\prtprocs\w32x86\sfmpsprt.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2001/04/16 13:02:36 | 000,000,271 | -H-- | M] () -- C:\Program Files\desktop.ini
[2001/04/16 13:02:36 | 000,021,952 | -H-- | M] () -- C:\Program Files\folder.htt

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2001/04/16 07:39:30 | 000,081,920 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2001/04/16 07:39:30 | 000,536,576 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2001/04/16 07:39:30 | 000,360,448 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2007/08/23 12:53:29 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/11/23 07:02:27 | 003,914,095 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/08/19 12:51:53 | 002,760,756 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Min_scanner.exe
[2010/11/24 06:42:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/01 15:33:50 | 000,083,968 | ---- | M] (eSage Lab) -- C:\Documents and Settings\Administrator\Desktop\remover.exe
[2004/07/23 13:40:28 | 045,393,408 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WebPACK_62_fcp_i.exe
[2005/05/06 02:30:56 | 000,155,701 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WinPowerOff.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[1999/12/07 07:00:00 | 000,000,777 | ---- | M] () -- C:\WINNT\addins\faxext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >
[1999/12/07 07:00:00 | 000,000,654 | ---- | M] () -- C:\WINNT\Config\general.idf
[1999/12/07 07:00:00 | 000,000,658 | ---- | M] () -- C:\WINNT\Config\hindered.idf
[1999/12/07 07:00:00 | 000,000,302 | ---- | M] () -- C:\WINNT\Config\msadlib.idf

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2007/08/23 12:53:29 | 000,000,083 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2007/08/23 12:53:47 | 000,002,338 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/11/24 06:47:44 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2003/06/19 12:05:04 | 000,221,184 | ---- | M] () -- C:\WINNT\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< >

< End of report >
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) v1.0.3705
"avast!" = avast! Antivirus
"dumeter3_is1" = DU Meter
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"TBUPDD" = Universal Pointer Device Driver
"Xilinx ISE 6" = Xilinx ISE 6

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/5/2004 4:33:10 PM | Computer Name = ALENIA-0-2003 | Source = Userenv | ID = 1000
Description = Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator. DETAIL - Access
is denied. , Build number ((2195)).

Error - 8/23/2007 9:07:27 AM | Computer Name = ALENIA-0-2003 | Source = ASP.NET 1.0.3705.0 | ID = 1031
Description =

Error - 8/23/2007 9:08:54 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 62
Description = WMI ADAP was unable to process the .NET CLR Data performance library
since one of the data blobs reported to have classes but had zero size

Error - 8/23/2007 9:08:55 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 62
Description = WMI ADAP was unable to process the .NET CLR Networking performance
library since one of the data blobs reported to have classes but had zero size

Error - 8/23/2007 9:10:46 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 37
Description = WMI ADAP was unable to load the netfxperf.dll performance library
due to an unknown problem within the library: 0x0

Error - 8/23/2007 9:10:46 AM | Computer Name = ALENIA-0-2003 | Source = WinMgmt | ID = 37
Description = WMI ADAP was unable to load the netfxperf.dll performance library
due to an unknown problem within the library: 0x0

Error - 8/23/2007 2:25:52 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET CLR Networking
failed. The Error code is DWORD 0 of the Record Data.

Error - 8/23/2007 2:25:56 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NET CLR Data failed.
The Error code is DWORD 0 of the Record Data.

Error - 8/23/2007 2:25:56 PM | Computer Name = ALENIA-0-2003 | Source = LoadPerf | ID = 3009
Description = Installing the performance counter strings for .NETFramework failed.
The Error code is DWORD 0 of the Record Data.

Error - 8/23/2007 4:15:17 PM | Computer Name = ALENIA-0-2003 | Source = .NET Runtime 2.0 Error Reporting | ID = 1000
Description = Faulting application form1.exe, version 0.0.0.0, stamp 46cd7496, faulting
module kernel32.dll, version 5.0.2195.6688, stamp 3ef274dc, debug? 0, fault address
0x0000a4e1.

[ System Events ]
Error - 6/7/2006 7:11:41 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/8/2006 7:03:32 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/9/2006 7:23:30 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/9/2006 12:08:13 PM | Computer Name = ALENIA-0-2003 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
DILWORTH that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{E82024DE-0A46-46EF-. The master browser is stopping or an election
is being forced.

Error - 6/12/2006 7:03:51 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/13/2006 7:12:19 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/14/2006 7:42:31 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/15/2006 7:13:25 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/16/2006 7:21:08 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia

Error - 6/19/2006 7:11:22 AM | Computer Name = ALENIA-0-2003 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Pcmcia


< End of report >
 
128.00 Mb Total Physical Memory
Win 2K could use little bit more RAM. 256MB maybe...

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

=======================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

=====================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • IMPORTANT! UN-check Remove found threats
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
I'd like to omit the Java stuff on this computer.

All processes killed
========== OTL ==========
File Animation Java Classes file://C:\WINNT\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1431991 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Scott
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 1.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Scott

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11302010_065944

Files\Folders moved on Reboot...
File\Folder C:\WINNT\temp\_avast4_\Webshlock.txt not found!

Registry entries deleted on Reboot...
 
Results of screen317's Security Check version 0.99.5
Windows 2000 Service Pack 4
Internet Explorer 5 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

avast! Antivirus
avast! successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
````````````````````````````````
DNS Vulnerability Check:

nslookup.exe missing!
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 
For some reason I am unable to start the scan at ESET. The page opens and I click the 'ESET online scanner' button but the page just re-opens. Is there an alternative way to run that scan ?
 
Status
Not open for further replies.
Back