Inactive I believe that its Win32:Bamital-X

[d3m0nc1aw]

When I run Avast it say that its Win32:Bamital-X and that it is a read only file and it can not be removed by Avast. So I did some reading and saw that other people had this same problem and so I tried some of the things that they did but my problem is that I can not open gain access to my desktop if I am not booted in safe mode and the programs will not run. I can open the task manager so I opened that and tried to run

Explorer.exe

but that didn't work it said that the program I am trying to access is unavalible.

So any suggestions?

 

[Broni]

Welcome aboard

Following programs can be run from Safe Mode/Safe Mode with Networking.....

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

• 
  * Double-click on the Rkill desktop icon to run the tool.
  * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  * If not, delete the file, then download and use the one provided in Link 2.
  * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  * Do not reboot until instructed.
  * If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

• 
  * Please download exeHelper from Raktor to your desktop.
  * Double-click on exeHelper.com to run the fix.
  * A black window should pop up, press any key to close once the fix is completed.
  * A log file named log.txt will be created in the directory where you ran exeHelper.com
  * Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[d3m0nc1aw]

Thanks for the relpy.
Heres the Log for Combofix.

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Katy Lutz\Adorable.scr
c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909C.manifest
c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909O.manifest
c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909P.manifest
c:\documents and settings\Katy Lutz\Application Data\020000000dc00c7d909S.manifest
c:\documents and settings\Katy Lutz\uninstall Adorable.exe
c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909C.manifest
c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909O.manifest
c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909P.manifest
c:\documents and settings\Michael Bryant\Application Data\020000000dc00c7d909S.manifest
c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}
c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome.manifest
c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome\content\_cfg.js
c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\chrome\content\overlay.xul
c:\documents and settings\Michael Bryant\Local Settings\Application Data\{CDFE9272-1217-4C49-BFE1-280ED6FA81FC}\install.rdf
c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server
c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Michael Bryant\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Natalie Lutz\Application Data\DataSafeDotNet.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\611151665
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\unrar.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-08 22:07 . 2010-09-08 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\program files\CCleaner
2010-09-01 19:49 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-31 14:09 . 2010-08-31 14:09 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-31 01:30 . 2010-08-31 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-08-26 23:35 . 2010-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-26 23:35 . 2010-08-26 23:35 -------- d-----w- c:\program files\Alwil Software
2010-08-26 23:29 . 2010-08-26 23:29 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-26 22:03 . 2010-08-26 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-26 22:01 . 2010-08-26 22:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-26 20:04 . 2010-08-27 12:24 2838 ----a-w- c:\windows\Iceqahaqevemite.dat
2010-08-26 20:04 . 2010-08-27 04:57 0 ----a-w- c:\windows\Mratumejabive.bin
2010-08-26 20:04 . 2010-08-26 20:04 -------- d-----w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
2010-08-26 20:01 . 2010-08-26 20:01 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923
2010-08-26 19:44 . 2010-08-26 19:44 45116 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\Conduit
2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\XfireXO
2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\Conduit
2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\XfireXO
2010-08-14 11:52 . 2010-09-07 22:24 -------- d-----w- c:\program files\StepMania
2010-08-13 21:55 . 2010-08-13 21:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\XfireXO
2010-08-13 06:21 . 2010-08-13 06:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- C:\4848b493421c2e5185

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 03:01 . 2009-04-01 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-11 02:57 . 2010-01-15 22:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 02:55 . 2009-03-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-11 02:39 . 2009-04-03 23:47 -------- d-----w- c:\program files\Steam
2010-09-07 22:10 . 2010-02-28 04:44 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\Audacity
2010-09-01 20:00 . 2009-04-25 18:16 -------- d-----w- c:\program files\Yahoo!
2010-08-27 13:29 . 2009-04-04 01:12 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\DNA
2010-08-27 12:24 . 2009-04-04 01:12 -------- d-----w- c:\program files\DNA
2010-08-27 04:57 . 2009-04-04 01:04 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\LimeWire
2010-08-26 21:51 . 2009-03-26 03:50 50056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-26 20:01 . 2010-08-26 20:01 225280 ----a-w- c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923\newsecureapp70700.exe
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-15 12:46 . 2009-04-01 20:25 50056 ----a-w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-14 21:47 . 2009-04-01 20:57 50056 ----a-w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 23:28 . 2009-04-04 01:13 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\BitTorrent
2010-08-03 14:19 . 2009-03-26 03:44 -------- d-----w- c:\program files\McAfee
2010-08-03 13:59 . 2009-04-03 23:43 50056 ----a-w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-03 13:59 . 2010-08-03 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-08-03 13:57 . 2010-08-03 13:57 65536 ----a-r- c:\documents and settings\Michael Bryant\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-08-03 13:56 . 2010-08-03 13:56 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-08-03 13:56 . 2009-03-26 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 18:19 . 2010-07-18 18:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\XfireXO
2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\Conduit
2010-07-17 23:45 . 2010-07-17 23:45 -------- d-----w- c:\program files\Z8Games
2010-07-17 13:22 . 2009-07-27 02:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-07-17 13:22 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-07-17 13:21 . 2009-07-27 02:05 -------- d-----w- c:\program files\ParetoLogic
2010-07-17 13:21 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2010-07-15 19:18 . 2009-03-26 03:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-07-03 13:16 . 2010-05-08 22:11 99 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences2.dat
2010-07-03 13:00 . 2010-05-08 22:10 46 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences.dat
2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 20:50 . 2010-06-22 20:50 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1E.tmp.exe
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-19 00:12 . 2009-04-04 21:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-19 00:11 . 2009-04-04 12:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6BA2B344AD063BB35ADA1D33EFF8FA2B . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 9AB873E5C3DE27BCDEA5343EA6EA95CB . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-06-13 23:10 2734688 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"iPodVideoConverter_upgrade"="c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" [2009-09-08 503808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Michael Bryant\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-26 03:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3m0nc1aw\\team fortress classic\\hl.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/4/2009 8:37 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:16 PM 135664]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-09-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:11]

2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-08-14 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4251465998.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

2010-08-14 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2009-12-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vo.mcbh.org/MLWebCacheCleaner.cab
DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 09:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

 

[d3m0nc1aw]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\system32\msiexec.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\progra~1\mcafee\msc\mcupdmgr.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\progra~1\mcafee\msc\mcupdui.exe
c:\program files\mcafee\virusscan\mcinsupd.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2010-09-11 09:19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-11 13:19

Pre-Run: 461,987,045,376 bytes free
Post-Run: 458,944,847,872 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9E66EDD22C1F77494E537F8819BD6168

 

[Broni]

Combofix header is missing. Please, always post entire log.

Are you able to operate from normal mode now?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  explorer.exe
  winlogon.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=======================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\Iceqahaqevemite.dat
c:\windows\Mratumejabive.bin


Folder::
c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923


DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[d3m0nc1aw]

Systemlook Log:

SystemLook 04.09.10 by jpshortstuff
Log created at 15:01 on 11/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 9AB873E5C3DE27BCDEA5343EA6EA95CB

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6BA2B344AD063BB35ADA1D33EFF8FA2B

-= EOF =-

 

[d3m0nc1aw]

Combo Fix:

ComboFix 10-09-09.04 - Administrator 09/11/2010 15:14:43.2.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.3038 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Iceqahaqevemite.dat"
"c:\windows\Mratumejabive.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Heather Lutz\Application Data\64dlls.exe
c:\documents and settings\Heather Lutz\Application Data\intel64.exe
c:\documents and settings\Heather Lutz\Application Data\Kernel32.exe
c:\documents and settings\Heather Lutz\Application Data\localsys64.exe
c:\documents and settings\Heather Lutz\Application Data\ntos.exe
c:\documents and settings\Heather Lutz\Application Data\oembios.exe
c:\documents and settings\Heather Lutz\Application Data\sdra64.exe
c:\documents and settings\Heather Lutz\Application Data\sdra73.exe
c:\documents and settings\Heather Lutz\Application Data\swin32.exe
c:\documents and settings\Heather Lutz\Application Data\twex.exe
c:\documents and settings\Heather Lutz\Application Data\twext.exe
c:\documents and settings\Heather Lutz\Application Data\wsnpoema.exe
c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923
c:\documents and settings\Michael Bryant\Application Data\1530834A405C118A974E9E21BEE11923\newsecureapp70700.exe
c:\documents and settings\Michael Bryant\Local Settings\Application Data\vtkaog
c:\windows\Iceqahaqevemite.dat
c:\windows\Mratumejabive.bin

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 13:19 . 2010-09-11 13:19 -------- d-----w- c:\windows\LastGood
2010-09-08 22:07 . 2010-09-08 22:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Audacity
2010-09-01 20:00 . 2010-09-11 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2010-09-01 20:00 . 2010-09-01 20:00 -------- d-----w- c:\program files\CCleaner
2010-09-01 19:49 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-01 02:38 . 2010-07-09 14:26 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-31 14:09 . 2010-08-31 14:09 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-31 01:30 . 2010-08-31 01:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-08-26 23:35 . 2010-09-11 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-26 23:35 . 2010-08-26 23:35 -------- d-----w- c:\program files\Alwil Software
2010-08-26 23:29 . 2010-08-26 23:29 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-26 22:03 . 2010-08-26 22:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-26 22:01 . 2010-08-26 22:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-08-26 19:44 . 2010-08-26 19:44 45116 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\Conduit
2010-08-15 12:46 . 2010-08-15 12:46 -------- d-----w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\XfireXO
2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\Conduit
2010-08-14 21:48 . 2010-08-14 21:48 -------- d-----w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\XfireXO
2010-08-14 11:52 . 2010-09-07 22:24 -------- d-----w- c:\program files\StepMania
2010-08-13 21:55 . 2010-08-13 21:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\XfireXO
2010-08-13 06:21 . 2010-08-13 06:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 18:56 . 2009-04-04 01:12 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\DNA
2010-09-11 17:49 . 2009-04-03 23:47 -------- d-----w- c:\program files\Steam
2010-09-11 14:33 . 2010-02-28 04:44 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\Audacity
2010-09-11 13:46 . 2009-04-04 01:04 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\LimeWire
2010-09-11 13:44 . 2009-04-04 01:12 -------- d-----w- c:\program files\DNA
2010-09-11 13:29 . 2010-07-17 23:52 -------- d-----w- c:\program files\XfireXO
2010-09-11 13:19 . 2009-03-26 03:44 -------- d-----w- c:\program files\McAfee
2010-09-11 03:01 . 2009-04-01 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-11 02:57 . 2010-01-15 22:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-11 02:55 . 2009-03-26 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-01 20:00 . 2009-04-25 18:16 -------- d-----w- c:\program files\Yahoo!
2010-08-26 21:51 . 2009-03-26 03:50 50056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-15 12:46 . 2009-04-01 20:25 50056 ----a-w- c:\documents and settings\Natalie Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-14 21:47 . 2009-04-01 20:57 50056 ----a-w- c:\documents and settings\Katy Lutz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 23:28 . 2009-04-04 01:13 -------- d-----w- c:\documents and settings\Michael Bryant\Application Data\BitTorrent
2010-08-03 13:59 . 2009-04-03 23:43 50056 ----a-w- c:\documents and settings\Michael Bryant\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-03 13:59 . 2010-08-03 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-08-03 13:57 . 2010-08-03 13:57 65536 ----a-r- c:\documents and settings\Michael Bryant\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-08-03 13:56 . 2010-08-03 13:56 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-08-03 13:56 . 2009-03-26 03:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 18:19 . 2010-07-18 18:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-07-17 23:52 . 2010-07-17 23:52 -------- d-----w- c:\program files\Conduit
2010-07-17 23:45 . 2010-07-17 23:45 -------- d-----w- c:\program files\Z8Games
2010-07-17 13:22 . 2009-07-27 02:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-07-17 13:22 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-07-17 13:21 . 2009-07-27 02:05 -------- d-----w- c:\program files\ParetoLogic
2010-07-17 13:21 . 2009-06-13 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2010-07-15 19:18 . 2009-03-26 03:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-03 13:16 . 2010-05-08 22:11 99 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences2.dat
2010-07-03 13:00 . 2010-05-08 22:10 46 ----a-w- c:\documents and settings\Katy Lutz\jagex_runescape_preferences.dat
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 20:50 . 2010-06-22 20:50 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1E.tmp.exe
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-19 00:12 . 2009-04-04 21:52 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-19 00:11 . 2009-04-04 12:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6BA2B344AD063BB35ADA1D33EFF8FA2B . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 9AB873E5C3DE27BCDEA5343EA6EA95CB . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-09-11 13:29 2735200 ----a-w- c:\program files\XfireXO\tbXfi1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfi1.dll" [2010-09-11 2735200]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater6"="c:\program files\Common Files\Adobe\Updater6\Adobe_Updater.exe" [2009-04-04 2521464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-19 864112]
"iPodVideoConverter_upgrade"="c:\program files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" [2009-09-08 503808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Michael Bryant\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-26 03:48 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\d3m0nc1aw\\team fortress classic\\hl.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/4/2009 8:37 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S2 0120501284211202mcinstcleanup;McAfee Application Installer Cleanup (0120501284211202);c:\windows\TEMP\012050~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\012050~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 4:16 PM 135664]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-09-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:11]

2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-11 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4251465998.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

2010-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:16]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-26 16:22]

2010-08-14 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2009-12-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} - hxxps://vo.mcbh.org/MLWebCacheCleaner.cab
DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 15:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-8834206-3494891491-1703734855-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,c9,27,6c,9f,bf,e6,4f,9a,b2,ed,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3f,c9,27,6c,9f,bf,e6,4f,9a,b2,ed,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-09-11 15:24:43
ComboFix-quarantined-files.txt 2010-09-11 19:24
ComboFix2.txt 2010-09-11 13:19

Pre-Run: 462,568,198,144 bytes free
Post-Run: 462,562,418,688 bytes free

- - End Of File - - 5D90D107D018EFAD6E353E1D7872B32D

 

[Broni]

Do you have Windows XP CD?


Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
winlogon.exe
explorer.exe
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[d3m0nc1aw]

I do not have my Disk.

OTL.Txt

OTL logfile created on: 9/12/2010 8:51:27 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 596.13 Gb Total Space | 430.70 Gb Free Space | 72.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HEATHERLUTZ
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/07/02 18:24:00 | 001,352,832 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/06/18 20:11:29 | 000,864,112 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\ComboFix\PEV.cfx -- (PEVSystemStart)
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\TEMP\012050~1.EXE -- (0120501284211202mcinstcleanup) McAfee Application Installer Cleanup (0120501284211202)
SRV - [2010/07/02 18:24:00 | 001,352,832 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/03/25 23:48:15 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/10/04 14:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva359.sys -- (XDva359)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva358.sys -- (XDva358)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva352.sys -- (XDva352)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/06/18 20:11:40 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/09/24 22:39:06 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/09/24 22:38:54 | 003,007,488 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/04/14 08:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 08:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/20 01:10:10 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
DRV - [2007/07/19 21:26:24 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/07/16 22:48:54 | 004,403,712 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2001/08/17 22:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 22:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 22:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 22:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 22:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 21:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 21:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 21:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 21:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 21:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 21:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 21:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 21:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 21:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 21:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{EBEAAD45-0E03-48F1-8CC7-B2B09A8D6E25}: C:\Documents and Settings\Heather Lutz\Local Settings\Application Data\{EBEAAD45-0E03-48F1-8CC7-B2B09A8D6E25}\


O1 HOSTS File: ([2010/09/11 15:23:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (XfireXO Toolbar) - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfi1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)

 

[d3m0nc1aw]

O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF12610.cfx File not found
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [iPodVideoConverter_upgrade] C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe (E-Z soft)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKCU..\Run: [AdobeUpdater6] C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file://C:\Program Files\Paradise Pet Salon\Images\stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} https://vo.mcbh.org/XTSAC.cab (XTSAC Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} https://vo.mcbh.org/MLWebCacheCleaner.cab (WebCacheCleaner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} http://www.wildpockets.com/common/WildPocketsLoader-15079.cab (Wild Pockets Loader Plugin Control Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file://C:\Program Files\Paradise Pet Salon\Images\armhelper.ocx (ArmHelper Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.247.24.53 24.247.15.53 68.115.71.53
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 90 Days ==========

[2010/09/12 08:46:14 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/11 15:07:28 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/09/11 08:31:33 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/11 08:27:11 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/11 08:27:11 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/11 08:27:11 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/11 08:27:11 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/11 08:27:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/11 08:23:49 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/10 22:48:55 | 001,293,400 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/09/10 22:48:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2010/09/08 18:07:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Audacity
[2010/09/08 17:37:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/09/01 16:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2010/09/01 16:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Yahoo!
[2010/09/01 16:00:08 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/08/30 21:30:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2010/08/26 19:35:10 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/08/26 19:35:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/08/26 19:29:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2010/08/26 18:03:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/08/26 18:01:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/08/26 17:32:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/08/14 07:52:45 | 000,000,000 | ---D | C] -- C:\Program Files\StepMania
[2010/08/13 17:55:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\SupportSoft
[2010/08/13 12:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\XfireXO
[2010/08/13 02:21:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2010/08/12 23:57:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/08/03 09:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe Systems
[2010/08/03 09:56:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe Systems Shared
[2010/08/03 05:40:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
[2010/07/18 14:19:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Xfire
[2010/07/17 21:09:07 | 000,000,000 | ---D | C] -- C:\CFLog
[2010/07/17 19:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/07/17 19:52:48 | 000,000,000 | ---D | C] -- C:\Program Files\XfireXO
[2010/07/17 19:45:33 | 000,000,000 | ---D | C] -- C:\Program Files\Z8Games
[2010/07/04 23:28:28 | 000,000,000 | ---D | C] -- C:\Program Files\IDoser v4
[2010/07/04 23:24:32 | 000,000,000 | ---D | C] -- C:\Program Files\I-Doser
[2010/07/04 23:23:05 | 000,000,000 | ---D | C] -- C:\Program Files\SBaGen
[2010/07/02 22:34:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\inixwukvf
[2010/06/23 04:20:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/06/23 04:20:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/06/22 12:33:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/22 12:33:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/20 13:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/20 13:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/16 14:31:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/12 08:48:08 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/12 08:45:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/09/12 08:44:26 | 000,032,535 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/12 08:44:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/12 08:43:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/12 08:42:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/12 08:42:29 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata
[2010/09/12 03:31:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/11 18:31:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/11 18:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2010/09/11 15:35:43 | 000,000,562 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/11 15:28:54 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/09/11 15:23:40 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/11 15:23:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/11 15:13:07 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/09/11 15:00:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2010/09/11 09:49:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1251465998.job
[2010/09/11 08:31:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/11 08:25:50 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/09/11 08:23:31 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/09/11 08:20:19 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/11 08:18:12 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/10 23:09:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/10 23:08:02 | 000,533,076 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/10 23:08:02 | 000,463,840 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/10 23:08:02 | 000,078,990 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/10 22:57:19 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/10 22:53:33 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/09/10 22:46:45 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/09/07 18:00:02 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/09/01 16:00:09 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/09/01 08:42:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/31 10:09:34 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/08/26 17:51:05 | 000,050,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/08/26 15:44:57 | 000,045,116 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/08/13 12:28:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/03 09:56:21 | 000,001,764 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Audition 3.0.lnk
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/06/18 20:12:22 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/06/18 20:11:40 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

 

[d3m0nc1aw]

[2010/09/12 08:42:29 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata
[2010/09/11 15:00:55 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2010/09/11 08:31:35 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/11 08:31:33 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/11 08:27:11 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/11 08:27:11 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/11 08:27:11 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/11 08:27:11 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/11 08:27:11 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/11 08:23:27 | 003,842,041 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/09/11 08:20:18 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/09/10 22:55:36 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/09/10 22:46:45 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/09/01 16:00:09 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/08/31 10:09:34 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/08/26 15:44:57 | 000,045,116 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/08/03 09:56:21 | 000,001,764 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Audition 3.0.lnk
[2010/01/17 10:51:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ABC_mru.ini
[2009/08/28 09:06:13 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/08 12:28:29 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/07/08 12:28:29 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/26 01:25:08 | 000,876,544 | ---- | C] () -- C:\WINDOWS\System32\TEACico2.dll
[2009/03/26 01:24:17 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/03/26 00:03:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/03/26 00:02:36 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2008/04/25 17:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/05/28 21:45:43 | 000,647,168 | ---- | C] () -- C:\WINDOWS\System32\pqdvdb.dll

========== LOP Check ==========

[2010/09/08 18:09:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Audacity
[2009/03/25 23:37:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2010/08/30 21:30:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Search
[2010/09/11 08:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/06/06 17:13:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/07/08 12:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\doubleTwist Corporation
[2010/07/17 09:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/06/23 03:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/07/17 09:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/06/06 17:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/03/25 23:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/03/25 23:50:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2009/10/10 14:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2009/03/25 23:50:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/07/08 12:39:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/25 23:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009/12/30 12:28:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/04/03 20:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/06/06 00:53:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/21 20:10:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/04/17 19:38:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/09/12 08:45:38 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/09/11 09:49:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1251465998.job
[2009/06/15 01:00:00 | 000,000,356 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/11/01 01:00:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/09/11 18:00:00 | 000,000,460 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
[2009/12/29 01:43:03 | 000,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/09/12 08:43:49 | 000,130,089 | ---- | M] () -- C:\aaw7boot.log
[2008/04/25 17:29:32 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/09/01 08:42:52 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/09/11 08:31:35 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/09/11 15:24:43 | 000,019,118 | ---- | M] () -- C:\ComboFix.txt
[2008/04/25 17:29:32 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/03/26 01:25:54 | 000,004,653 | RH-- | M] () -- C:\dell.sdr
[2009/08/28 09:21:46 | 000,000,526 | -H-- | M] () -- C:\hpothb07.dat
[2009/08/28 09:21:46 | 000,001,001 | -H-- | M] () -- C:\hpothb07.tif
[2008/04/25 17:29:32 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2008/04/25 17:29:32 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2008/09/03 20:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\npbittorrent.dll
[2008/04/14 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 08:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/12 08:43:55 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/09/11 08:20:27 | 000,000,408 | ---- | M] () -- C:\rkill.log
[2010/09/10 22:49:49 | 000,045,640 | ---- | M] () -- C:\TDSSKiller.2.4.2.1_10.09.2010_22.48.57_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/04/25 17:29:00 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2007/10/21 20:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD97.DLL
[2007/10/21 20:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP97.DLL
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 20:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[1998/08/30 11:48:18 | 000,135,168 | ---- | M] () -- C:\WINDOWS\Lens32.scr
[2008/12/04 23:55:20 | 000,307,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/04/25 05:21:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/04/25 05:21:09 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/04/25 05:21:09 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/04/25 17:29:41 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2008/04/25 17:33:03 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2008/04/25 17:33:01 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/09/11 08:23:31 | 003,842,041 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/09/10 22:46:45 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe
[2010/09/12 08:46:15 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/09/11 15:00:55 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SystemLook.exe
[2010/09/07 14:44:52 | 001,293,400 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

 

[d3m0nc1aw]

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2008/04/14 08:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2008/04/25 17:33:01 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/09/12 08:50:37 | 000,049,152 | -HS- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/14 08:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2007/04/03 07:37:24 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2007/04/03 07:37:24 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/14 07:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/14 13:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2007/04/03 07:37:24 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2007/04/03 07:37:24 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2007/04/03 07:37:26 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2007/04/03 07:37:28 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2007/04/03 07:34:02 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=9AB873E5C3DE27BCDEA5343EA6EA95CB -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=6BA2B344AD063BB35ADA1D33EFF8FA2B -- C:\WINDOWS\system32\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B3A4EC2
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:242231A9
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B9D8E22
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94D41096
< End of report >

 

[d3m0nc1aw]

Extras

OTL Extras logfile created on: 9/12/2010 8:51:28 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 596.13 Gb Total Space | 430.70 Gb Free Space | 72.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HEATHERLUTZ
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNetisabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNetisabledxpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:EnabledNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Steam\steamapps\d3m0nc1aw\team fortress classic\hl.exe" = C:\Program Files\Steam\steamapps\d3m0nc1aw\team fortress classic\hl.exe:*:Enabled:Team Fortress Classic -- (Valve)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 17
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{87841AF8-C785-42FF-A76E-CC0F0C2816CC}" = ATI Catalyst Control Center
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{903679E8-44C8-4C07-9600-05C92654FC50}" = QualXServ Service Agreement
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}" = Adobe Audition 3.0.1 Patch
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"7-Zip" = 7-Zip 4.57
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Batch Converter" = Advanced Batch Converter
"ATI Display Driver" = ATI Display Driver
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.11 (Unicode)
"AviSynth" = AviSynth 2.5
"AVS Audio Converter 5.1_is1" = AVS Audio Converter version 5.1
"AVS Update Manager_is1" = AVS Update Manager 1.0
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Cross Fire_is1" = Cross Fire En
"Digital Media Converter_is1" = Digital Media Converter 2.7
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FL Studio 9" = FL Studio 9
"Fraps" = Fraps
"Free iPod Video Converter_is1" = Free iPod Video Converter 1.34
"Frets on Fire" = Frets On Fire
"Google Chrome" = Google Chrome
"GoToAssist" = GoToAssist 8.0.0.514
"Hardcore" = Hardcore
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"I-Doser 4.50" = I-Doser 4.50
"ie8" = Windows Internet Explorer 8
"IL Download Manager" = IL Download Manager
"LimeWire" = LimeWire 5.1.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mpeg2Decoder_is1" = Mpeg2Decoder 1.3
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Product_Name" = Risk 2
"PROSet" = Intel(R) PRO Network Connections Drivers
"PSP ToolKit_is1" = PSP Toolkit 1.1
"Sawer" = Sawer
"SBaGen_is1" = SBaGen 1.4.4
"Steam App 20" = Team Fortress Classic
"Steam App 218" = Source SDK Base - Orange Box
"Steam App 440" = Team Fortress 2
"StepMania" = StepMania 3.9a (remove only)
"Toxic Biohazard" = Toxic Biohazard
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XfireXO Toolbar" = XfireXO Toolbar
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar

 

[d3m0nc1aw]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 16839296

Error - 9/12/2010 8:41:50 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 16839296

Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 16841250

Error - 9/12/2010 8:41:52 AM | Computer Name = HEATHERLUTZ | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 16841250

Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 9/12/2010 8:42:04 AM | Computer Name = HEATHERLUTZ | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 9/11/2010 3:13:06 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/11/2010 3:14:13 PM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm mfehidk

Error - 9/11/2010 3:14:21 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/11/2010 3:16:29 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 9/11/2010 3:16:35 PM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 9/11/2010 3:32:01 PM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 9/12/2010 8:44:23 AM | Computer Name = HEATHERLUTZ | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm mfehidk

Error - 9/12/2010 8:44:30 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/12/2010 8:46:17 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 9/12/2010 8:46:18 AM | Computer Name = HEATHERLUTZ | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service McNASvc with
arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}


< End of report >

 

[Broni]

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\explorer.exe
- C:\WINDOWS\system32\winlogon.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[d3m0nc1aw]

Explorer

Antivirus Version Last Update Result
AhnLab-V3 2010.09.12.01 2010.09.12 Win-Trojan/Patched.BT
AntiVir 8.2.4.50 2010.09.12 -
Antiy-AVL 2.0.3.7 2010.09.12 -
Authentium 5.2.0.5 2010.09.11 W32/Patched.B
Avast 4.8.1351.0 2010.09.12 -
Avast5 5.0.594.0 2010.09.12 Win32:Bamital-X
AVG 9.0.0.851 2010.09.12 Win32/Patched.FL
BitDefender 7.2 2010.09.12 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.10 Trojan.Patched.JW
ClamAV 0.96.2.0-git 2010.09.12 -
Comodo 6058 2010.09.12 -
DrWeb 5.0.2.03300 2010.09.12 Win32.Dat.3
Emsisoft 5.0.0.37 2010.09.12 Virus.Win32.Bamital!IK
eSafe 7.0.17.0 2010.09.12 -
eTrust-Vet 36.1.7850 2010.09.12 Win32/Patcher.F
F-Prot 4.6.1.107 2010.09.12 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.11 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.12 -
GData 21 2010.09.12 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.12 Virus.Win32.Bamital
Jiangmin 13.0.900 2010.09.12 -
K7AntiVirus 9.63.2496 2010.09.11 Virus
Kaspersky 7.0.0.125 2010.09.12 Trojan.Win32.Patched.kl
McAfee 5.400.0.1158 2010.09.12 W32/Bamital.a
McAfee-GW-Edition 2010.1B 2010.09.12 -
Microsoft 1.6103 2010.09.12 Virus:Win32/Bamital.C
NOD32 5445 2010.09.12 Win32/Bamital.DX
Norman 6.06.06 2010.09.12 W32/Patched.Q
nProtect 2010-09-12.01 2010.09.12 Trojan/W32.Bamital
Panda 10.0.2.7 2010.09.12 W32/Patched.AC
PCTools 7.0.3.5 2010.09.12 Trojan.Bamital
Prevx 3.0 2010.09.12 -
Rising 22.64.06.00 2010.09.12 Trojan.Win32.Generic.522811B8
Sophos 4.57.0 2010.09.12 Troj/Patched-O
Sunbelt 6867 2010.09.12 Virus.Win32.Bamital.c (v)
SUPERAntiSpyware 4.40.0.1006 2010.09.12 -
Symantec 20101.1.1.7 2010.09.12 Trojan.Bamital!inf
TheHacker 6.7.0.0.016 2010.09.12 -
TrendMicro 9.120.0.1004 2010.09.12 PE_PATCHED.AM
TrendMicro-HouseCall 9.120.0.1004 2010.09.12 PE_PATCHED.AM
VBA32 3.12.14.0 2010.09.08 -
ViRobot 2010.9.8.4031 2010.09.12 Win32.Patched.AF
VirusBuster 12.65.2.0 2010.09.12 -
Additional informationShow all
MD5 : 9ab873e5c3de27bcdea5343ea6ea95cb
SHA1 : 67d39b2553ca272f277d95239c68c56e1b07d5f0
SHA256: 16f37a7c2146c6789dbceddd7cd0af36d331fd726073125b3979369460c938c9

WinLogon

Antivirus Version Last Update Result
AhnLab-V3 2010.09.12.01 2010.09.12 Win-Trojan/Patched.BT
AntiVir 8.2.4.50 2010.09.12 -
Antiy-AVL 2.0.3.7 2010.09.12 Trojan/Win32.Patched.gen
Authentium 5.2.0.5 2010.09.11 W32/Patched.B
Avast 4.8.1351.0 2010.09.12 -
Avast5 5.0.594.0 2010.09.12 Win32:Bamital-X
AVG 9.0.0.851 2010.09.12 Win32/Patched.FM
BitDefender 7.2 2010.09.12 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.10 Trojan.Patched.JW
ClamAV 0.96.2.0-git 2010.09.12 -
Comodo 6058 2010.09.12 -
DrWeb 5.0.2.03300 2010.09.12 Win32.Dat.3
Emsisoft 5.0.0.37 2010.09.12 Trojan.Win32.Patched!IK
eSafe 7.0.17.0 2010.09.12 -
eTrust-Vet 36.1.7850 2010.09.12 Win32/Patcher.F
F-Prot 4.6.1.107 2010.09.12 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.11 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.12 -
GData 21 2010.09.12 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.12 Trojan.Win32.Patched
Jiangmin 13.0.900 2010.09.12 TrojanDownloader.Small.asus
K7AntiVirus 9.63.2496 2010.09.11 Virus
Kaspersky 7.0.0.125 2010.09.12 Trojan.Win32.Patched.kl
McAfee 5.400.0.1158 2010.09.12 W32/Bamital.a
McAfee-GW-Edition 2010.1B 2010.09.12 -
Microsoft 1.6103 2010.09.12 Virus:Win32/Bamital.C
NOD32 5445 2010.09.12 Win32/Bamital.DX
Norman 6.06.06 2010.09.12 W32/Patched.Q
nProtect 2010-09-12.01 2010.09.12 Trojan/W32.Bamital
Panda 10.0.2.7 2010.09.12 W32/Patched.AC
PCTools 7.0.3.5 2010.09.12 Trojan.Bamital
Prevx 3.0 2010.09.12 -
Rising 22.64.06.00 2010.09.12 Trojan.Win32.Generic.5222CCBB
Sophos 4.57.0 2010.09.12 Troj/Patched-O
Sunbelt 6867 2010.09.12 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.09.12 -
Symantec 20101.1.1.7 2010.09.12 Trojan.Bamital!inf
TheHacker 6.7.0.0.016 2010.09.12 -
TrendMicro 9.120.0.1004 2010.09.12 PE_PATCHED.AM
TrendMicro-HouseCall 9.120.0.1004 2010.09.12 PE_PATCHED.AM
VBA32 3.12.14.0 2010.09.08 -
ViRobot 2010.9.8.4031 2010.09.12 Win32.Patched.AF
VirusBuster 12.65.2.0 2010.09.12 -
Additional informationShow all
MD5 : 6ba2b344ad063bb35ada1d33eff8fa2b
SHA1 : cbebd2dfef87a87274c2d2dce7075e8d01d8198b
SHA256: 09dca849d31d55648f1694fdc0dac327027b4b109f93e99ff837368a48112aab

 

[Broni]

Yeah, this is bad and we have to replace those two files.

Download zipped explorer.exe and winlogon.exe files from HERE

Unzip both files and copy both of them to your C:\ folder.

When done...


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  winlogon.exe
  explorer.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[d3m0nc1aw]

Yeah this is bad haha.
Ummm when I tried to replace the file it told me that access was denied.
Was my goal to replace it or only place it in there?

 

[Broni]

Please, read my instructions VERY carefully.
This is very dangerous part.
If you do something wrong, we're in trouble!!

I said:

Unzip both files and copy both of them to your C:\ folder.

 

[d3m0nc1aw]

Ok it's done. Sorry it has been a while since my last relpy, disadvantages to being a highschool student with homeworking pushing teachers.

System Look Log:

SystemLook 04.09.10 by jpshortstuff
Log created at 19:51 on 14/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"
C:\winlogon.exe --a---- 507904 bytes [23:49 14/09/2010] [05:36 21/03/2008] B8135E9ED99A0858DF535CE0A0271558
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6BA2B344AD063BB35ADA1D33EFF8FA2B

Searching for "explorer.exe"
C:\explorer.exe --a---- 1033728 bytes [23:26 12/09/2010] [09:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 9AB873E5C3DE27BCDEA5343EA6EA95CB

-= EOF =-

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace
  C:\WINDOWS\explorer.exe|C:\explorer.exe /replace
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Post fresh SystemLook log (same script as in my reply #17)

 

[d3m0nc1aw]

OTL Log:

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\WINDOWS\system32\winlogon.exe with C:\winlogon.exe without a reboot.
Unable to replace file: C:\WINDOWS\explorer.exe with C:\explorer.exe without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 66560 bytes
->Temporary Internet Files folder emptied: 39568250 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1441 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 321 bytes

User: Heather Lutz

User: Katy Lutz
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 168679 bytes
->Java cache emptied: 11407713 bytes
->Flash cache emptied: 291173 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 9050 bytes
->Flash cache emptied: 15229 bytes

User: Madison Bryant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 549074 bytes
->Flash cache emptied: 40431 bytes

User: Michael Bryant
->Temp folder emptied: 638138 bytes
->Temporary Internet Files folder emptied: 328823 bytes
->Java cache emptied: 72870198 bytes
->Google Chrome cache emptied: 57814924 bytes
->Flash cache emptied: 109327 bytes

User: Natalie Lutz
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 7617538 bytes
->Flash cache emptied: 15907830 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 32208 bytes
->Flash cache emptied: 51410 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 102417 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1739425 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 200.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Heather Lutz

User: Katy Lutz
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: Madison Bryant
->Flash cache emptied: 0 bytes

User: Michael Bryant
->Flash cache emptied: 0 bytes

User: Natalie Lutz
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.0 log created on 09152010_161315

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBF5C.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBF69.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBFC3.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBFD0.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUUVHE8V\topic153181-2[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CYLX7523\sh23[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0JMSTF6Y\01[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0JMSTF6Y\ads[8].htm moved successfully.
File\Folder C:\WINDOWS\temp\mcmsc_KpVtt8xdgdkeawO not found!

Registry entries deleted on Reboot...

 

[Broni]

Post fresh SystemLook log (same script as in my reply #17)

 

[d3m0nc1aw]

I did. But i ran system look again.



Administrator - Elevation successful

Invalid Context: OTL

Invalid Context: Services

========== Reg ==========

Invalid Context: Files

No Context: C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace

No Context: C:\WINDOWS\explorer.exe|C:\explorer.exe /replace

Invalid Context: Commands

No Context: [purity]

No Context: [emptytemp]

No Context: [emptyflash]

No Context: [Reboot]

-= EOF =-

 

[Broni]

This is not SystemLook log.
I said like in my reply #17.
I asked you before to be careful and to pay attention, or we'll screw something up pretty good.