Solved Strange winlogon.exe infection that can't be removed because it's read only?

Status
Not open for further replies.
R

robynloraine

Posts: 20   +0
Hello all.

I decided to join your website because I couldn't find anywhere else that seemed like it could help with this problem. I searched for similar topics but only two came up, one that was only sort of like my issue and other that had nearly no responses.

A couple weeks ago I got infected with a 'browser hijacker' that made Firefox re-direct me to random sites when searching through google. Apparently my AVG hadn't been keeping anything out. I got Avast and Malwarebites (and google chrome with Avast, which has not yet had the same redirecting issue Firefox had- I had to uninstall Firefox because it simply wouldn't let me do any searches). I ran a scan in safe mode and thought I'd gotten rid of the infection, which I was told by Malwarebites was called Vundo.

Now, I ran Avast yesterday and keep getting a strange infection called win32:Bamital-X (it shows up under winlogon.exe in the system32 folder) that, no matter what I try, I can't delete because it keeps telling me it's a "read only 6009" file. I run Malwarebites and it doesn't pick anything up. I ran both in safemode again and not even Avast got it then! Avast also keeps giving me a popup that says it blocked bamital-x from executing whenever I run Avast. My computer is getting extremely slow.


Here is my most recent Malwarebites log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4412

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

8/19/2010 4:44:16 PM
mbam-log-2010-08-19 (16-44-16).txt

Scan type: Quick scan
Objects scanned: 140700
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Not sure what else I need to post. Any help is appreciated.
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
 
Hello! I looked through those steps. I was unable to get GMER to work properly, although I do not have Windows 7 (I have XP). However, I got DDS to work so here are the two logs from that (I attached the one I'm not supposed to copy paste here, so I hope that's right).


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:14:54.45 on Thu 08/19/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.349 [GMT -6:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {206f3977-fc89-479f-b62e-73560319ee2a} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252447483984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\katenugu.dll c:\windows\system32\dobipimo.dll c:\windows\system32\hapoyivu.dll c:\windows\system32\fodevuna.dll c:\windows\system32\zizatewa.dll c:\windows\system32\jajovoga.dll c:\windows\system32\dabukido.dll c:\windows\system32\bolivovi.dll c:\windows\system32\faruregi.dll,c:\windows\system32\vamonumi.dll
LSA: Notification Packages = scecli l3dfclni.dll c:\windows\system32\vamonumi.dll
Hosts: 209.44.111.62 surety.microsoft.com
Hosts: 209.44.111.62 aware-protect.com
Hosts: 209.44.111.62 www.aware-protect.com

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-8 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-8 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-8 136176]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-9-11 627072]

=============== Created Last 30 ================

2010-08-10 09:28:33 0 d-----w- C:\RegBack
2010-08-10 09:28:16 0 d-----w- c:\windows\system32\NtmsData
2010-08-10 09:26:55 0 d-----w- c:\program files\ACW
2010-08-10 03:04:11 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-08-10 03:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 03:03:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-10 03:03:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 03:03:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 06:12:02 0 d-----w- c:\docume~1\owner\applic~1\.clamwin
2010-08-09 06:11:12 0 d-----w- c:\program files\ClamWin
2010-08-09 06:11:12 0 d-----w- c:\documents and settings\all users\.clamwin
2010-08-09 04:24:10 38848 ----a-w- c:\windows\avastSS.scr
2010-08-09 04:23:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-09 03:36:01 0 d-----w- C:\NetworkControl
2010-08-09 03:31:00 0 d-----w- C:\d467db2a9be49790e3830233b0

==================== Find3M ====================

2009-04-12 13:29:43 2098 --sh--w- c:\windows\system32\bibegipe.exe
2009-03-28 17:09:41 2098 --sh--w- c:\windows\system32\bodolali.exe
2009-04-24 09:36:17 2098 --sh--w- c:\windows\system32\fuguyelo.exe
2009-03-30 17:10:23 2098 --sh--w- c:\windows\system32\gifuyovi.exe
2009-03-30 05:10:24 2098 --sh--w- c:\windows\system32\kabujupe.exe
2009-03-29 17:10:07 2098 --sh--w- c:\windows\system32\lijohoyo.exe
2009-03-29 05:10:01 2098 --sh--w- c:\windows\system32\yurezasa.exe

============= FINISH: 20:15:29.01 ===============
 

Attachments

  • Attach.txt
    14.2 KB · Views: 0
You have some McAfee leftovers.
Please, run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

=========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Here's the Combofix report


ComboFix 10-08-18.04 - Owner 08/19/2010 20:48:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.468 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}
c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\c.js
c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{38A4C859-C69A-4C61-B87D-848A310AAD23}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
C:\NetworkControl
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\system32\bibegipe.exe
c:\windows\system32\ekanivev.ini
c:\windows\system32\emapavud.ini
c:\windows\system32\epezuwiw.ini
c:\windows\system32\Install.txt
c:\windows\system32\isejupaw.ini
c:\windows\system32\obekalin.ini
c:\windows\system32\odoboyek.ini
c:\windows\system32\okuwotun.ini
c:\windows\system32\omuyoreg.ini
c:\windows\system32\owalulis.ini
c:\windows\system32\ukavuwon.ini
c:\windows\system32\umemaziv.ini
c:\windows\system32\utiwabon.ini
c:\windows\system32\uvimever.ini
c:\windows\system32\uyatavat.ini
c:\windows\system32\uyukofef.ini
D:\Autorun.inf

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_MSNCACHE
-------\Legacy_PCMSTUB
-------\Legacy_SOPIDKC
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-09 04:48 . 2009-03-29 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-03-28 17:09 . 2009-03-28 17:09 2098 --sh--w- c:\windows\system32\bodolali.exe
2009-04-24 09:36 . 2009-04-24 09:36 2098 --sh--w- c:\windows\system32\fuguyelo.exe
2009-03-30 17:10 . 2009-03-30 17:10 2098 --sh--w- c:\windows\system32\gifuyovi.exe
2009-03-30 05:10 . 2009-03-30 05:10 2098 --sh--w- c:\windows\system32\kabujupe.exe
2009-03-29 17:10 . 2009-03-29 17:10 2098 --sh--w- c:\windows\system32\lijohoyo.exe
2009-03-29 05:10 . 2009-03-29 05:10 2098 --sh--w- c:\windows\system32\yurezasa.exe
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
[-] 2004-08-04 . 8E269F080887F222AD9BB26B6792FEAA . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{206f3977-fc89-479f-b62e-73560319ee2a} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-19 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-08-19 21:03:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-20 03:03

Pre-Run: 42,089,943,040 bytes free
Post-Run: 42,185,531,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 906D5AF9954E8698A236BB344F0243BD
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\bodolali.exe
c:\windows\system32\fuguyelo.exe
c:\windows\system32\gifuyovi.exe
c:\windows\system32\kabujupe.exe
c:\windows\system32\lijohoyo.exe
c:\windows\system32\yurezasa.exe


Folder::
c:\documents and settings\All Users\Application Data\avg8


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Hello. I have gone ahead and done that. The log is very long so I have to attach it. I would also like to note that I am still getting the Avast alerts of 'Malware Blocked' for bamital-x even after running combofix.
 

Attachments

  • log.txt
    88.2 KB · Views: 2
You're still infected, that's why...

Make sure, your Avast is updated. Run full scan.
Report on any findings.

When done, delete your Combofix file, download fresh one and post new log.
 
Ran a full scan with Avast- I got two bamital-x's.

Ran a new Combofix. Here's the log.


ComboFix 10-08-18.04 - Owner 08/20/2010 0:17.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.309 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-10 16:34 . 2008-10-29 05:25 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-08-10 16:34 . 2008-10-29 05:25 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
[-] 2004-08-04 . 8E269F080887F222AD9BB26B6792FEAA . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-20 00:25:59
ComboFix-quarantined-files.txt 2010-08-20 06:25
ComboFix2.txt 2010-08-20 03:33
ComboFix3.txt 2010-08-20 03:03

Pre-Run: 42,182,725,632 bytes free
Post-Run: 42,166,931,456 bytes free

- - End Of File - - 95E890D4DFCE3F4EB6453AA3A6AD33AA
 
Ran a full scan with Avast- I got two bamital-x's.
Click to expand...
Was Avast able to remove them?

Do you have Windows XP CD?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
proquota.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Avast is not able to remove them because they are "read only files". I can't even move them to the chest.

I think I might but I am not sure where my Windows xp cd would be. I've had this computer for five years.

System look gets me this:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:10 on 20/08/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe --a--- 50176 bytes [08:17 14/03/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

Searching for "winlogon.exe"
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe --a--- 507904 bytes [08:18 14/03/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [21:55 27/04/2008] [19:00 04/08/2004] (Unable to calculate MD5)

-=End Of File=-
 
If the fix we're about to run won't work, you'll need to find Windows XP CD (borrowed one will do).

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe | c:\windows\system32\proquota.exe
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe | C:\WINDOWS\system32\winlogon.exe


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Here is the Combofix log:


ComboFix 10-08-18.04 - Owner 08/20/2010 17:23:03.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.879.484 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe --> c:\windows\system32\proquota.exe
c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
.

2010-08-20 23:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-08-10 16:36 . 2010-08-10 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-10 16:34 . 2008-10-29 05:25 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2010-08-10 16:34 . 2008-10-29 05:25 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2010-08-10 09:28 . 2010-08-10 09:28 -------- d-----w- C:\RegBack
2010-08-10 09:28 . 2010-08-10 09:29 -------- d-----w- c:\windows\system32\NtmsData
2010-08-10 09:26 . 2010-08-10 16:27 -------- d-----w- c:\program files\ACW
2010-08-10 03:04 . 2010-08-10 03:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 03:03 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 03:03 . 2010-08-10 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-09 06:12 . 2010-08-09 06:13 -------- d-----w- c:\documents and settings\Owner\Application Data\.clamwin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\program files\ClamWin
2010-08-09 06:11 . 2010-08-09 06:11 -------- d-----w- c:\documents and settings\All Users\.clamwin
2010-08-09 04:31 . 2010-08-09 04:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-08-09 04:26 . 2010-08-19 22:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2010-08-09 04:26 . 2010-08-09 04:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-08-09 04:25 . 2010-08-09 04:28 -------- d-----w- c:\program files\Google
2010-08-09 04:25 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-09 04:25 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-09 04:25 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-09 04:25 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-09 04:25 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-09 04:25 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-09 04:25 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-09 04:24 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-09 04:24 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-09 04:23 . 2010-08-09 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-09 03:31 . 2010-08-09 04:50 -------- d-----w- C:\d467db2a9be49790e3830233b0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-14 06:19 . 2009-09-08 22:01 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 05:46 . 2008-10-29 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-09 07:45 . 2009-07-08 18:03 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-09 04:23 . 2008-10-29 19:32 -------- d-----w- c:\program files\Alwil Software
2010-08-08 12:31 . 2010-01-21 06:07 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-14 14:30 . 2008-04-27 21:49 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Linksys Wireless-G PCI Wireless Network Monitor\\WMP54Gv4.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=
"c:\\TEMP\\vlc-1.0.3\\vlc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/8/2010 10:25 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/8/2010 10:25 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/8/2010 10:26 PM 136176]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [9/11/2009 3:45 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]

2010-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3512
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=aNSF2kg7YKwVX4Asp9iBcXeqUyE
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-20 17:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-20 17:29:39
ComboFix-quarantined-files.txt 2010-08-20 23:29
ComboFix2.txt 2010-08-20 06:26
ComboFix3.txt 2010-08-20 03:33
ComboFix4.txt 2010-08-20 03:03

Pre-Run: 42,016,391,168 bytes free
Post-Run: 41,999,536,128 bytes free

- - End Of File - - AD123BF0590BBECEF2F5970DDFA45A17
 
It looks like our fix worked :)

How are the issues?

Please, re-run SystemLook with the same script as in my post #10
 
Ran systemlook, here is the log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:47 on 20/08/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\proquota.exe ------ 50176 bytes [08:17 14/03/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8
C:\WINDOWS\system32\proquota.exe --a--- 50176 bytes [23:23 20/08/2010] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

Searching for "winlogon.exe"
C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\winlogon.exe ------ 507904 bytes [08:18 14/03/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a--- 507904 bytes [21:55 27/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

-=End Of File=-

Also ran an Avast scan, it picked up Bamital-x, but in a different place than before. It allowed me to delete the file.
 
All looks much better :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
I did the uninstall of Combofix but now my computer wont let me restart. I click on the 'turn off computer' under the Start menu to get to the option to restart and it takes a very long time. Then when the menu comes up and I click Restart it does nothing.
 
I got the computer to turn off and turn on again. Here is the MBRcheck log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 174):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CF000 \WINDOWS\system32\hal.dll
0xF7B28000 \WINDOWS\system32\KDCOM.DLL
0xF7A38000 \WINDOWS\system32\BOOTVID.dll
0xF74F9000 ACPI.sys
0xF7B2A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74E8000 pci.sys
0xF7628000 isapnp.sys
0xF7BF0000 pciide.sys
0xF78A8000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B2C000 aliide.sys
0xF7B2E000 cmdide.sys
0xF7B30000 toside.sys
0xF7B32000 viaide.sys
0xF7B34000 intelide.sys
0xF7638000 MountMgr.sys
0xF74C9000 ftdisk.sys
0xF78B0000 PartMgr.sys
0xF7648000 VolSnap.sys
0xF7A3C000 cpqarray.sys
0xF74B1000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7499000 atapi.sys
0xF7A40000 aha154x.sys
0xF78B8000 sparrow.sys
0xF7A44000 symc810.sys
0xF7658000 aic78xx.sys
0xF7A48000 dac960nt.sys
0xF7668000 ql10wnt.sys
0xF7A4C000 amsint.sys
0xF78C0000 asc.sys
0xF7A50000 asc3550.sys
0xF78C8000 mraid35x.sys
0xF78D0000 i2omp.sys
0xF7A54000 ini910u.sys
0xF7678000 ql1240.sys
0xF7688000 aic78u2.sys
0xF78D8000 symc8xx.sys
0xF78E0000 sym_hi.sys
0xF78E8000 sym_u3.sys
0xF78F0000 ABP480N5.SYS
0xF78F8000 asc3350p.sys
0xF7B36000 cd20xrnt.sys
0xF7698000 ultra.sys
0xF7480000 adpu160m.sys
0xF7900000 dpti2o.sys
0xF76A8000 ql1080.sys
0xF76B8000 ql1280.sys
0xF76C8000 ql12160.sys
0xF7908000 perc2.sys
0xF7B38000 perc2hib.sys
0xF7910000 hpn.sys
0xF7A58000 cbidf2k.sys
0xF7454000 dac2w2k.sys
0xF76D8000 disk.sys
0xF76E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7435000 fltMgr.sys
0xF741E000 KSecDD.sys
0xF7391000 Ntfs.sys
0xF7364000 NDIS.sys
0xF76F8000 sisagp.sys
0xF7708000 viaagp.sys
0xF7349000 Mup.sys
0xF7718000 agp440.sys
0xF7728000 alim1541.sys
0xF7738000 amdagp.sys
0xF7748000 agpCPQ.sys
0xF7778000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF70DB000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF70C7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7990000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF70A4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7998000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7788000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7798000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7081000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7AEC000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7034000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF77B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF79B8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7020000 \SystemRoot\system32\DRIVERS\parport.sys
0xF77C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7AFC000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF700C000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF6FD5000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF6ED8000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF6E2B000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79E8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7D6C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B08000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6E14000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A08000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6E03000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7808000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A18000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7818000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B42000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6D2F000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B1C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7838000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7868000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B48000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEE8B1000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xEE88F000 \SystemRoot\system32\drivers\portcls.sys
0xF7878000 \SystemRoot\system32\drivers\drmk.sys
0xF7B50000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B54000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C26000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B58000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7968000 \SystemRoot\System32\drivers\vga.sys
0xF7B5C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B60000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7978000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7988000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AE0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEE80C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEE7B4000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7898000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xEE76B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF72E0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEE743000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEE721000 \SystemRoot\System32\drivers\afd.sys
0xF72D0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEE656000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7065000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF72B0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF79C0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEE5E7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF72A0000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE5C0000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF79F0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xEE59D000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7A00000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF6D2B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF6D1F000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7A20000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7948000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF7958000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7280000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF6D1B000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xEE55D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B6C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7ADC000 \SystemRoot\System32\drivers\Dxapi.sys
0xEE84F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D21000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF054000 \SystemRoot\System32\ati2cqag.dll
0xBF093000 \SystemRoot\System32\atikvmag.dll
0xBF0C9000 \SystemRoot\System32\ati3duag.dll
0xBF345000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEC451000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF79A8000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xEC33D000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF79D0000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xF79E0000 \SystemRoot\system32\DRIVERS\purendis.sys
0xEC176000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xEBFEE000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEBC61000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC3C5000 \SystemRoot\system32\drivers\sysaudio.sys
0xEBA2D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7B62000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xEBA09000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEB8BE000 \SystemRoot\system32\DRIVERS\srv.sys
0xEB00B000 \SystemRoot\System32\Drivers\HTTP.sys
0xF79F8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
424 C:\WINDOWS\system32\smss.exe
484 csrss.exe
512 C:\WINDOWS\system32\winlogon.exe
556 C:\WINDOWS\system32\services.exe
568 C:\WINDOWS\system32\lsass.exe
716 C:\WINDOWS\system32\ati2evxx.exe
744 C:\WINDOWS\system32\svchost.exe
824 svchost.exe
896 C:\WINDOWS\system32\svchost.exe
1044 svchost.exe
1168 svchost.exe
1268 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1356 C:\WINDOWS\system32\ati2evxx.exe
1420 C:\WINDOWS\explorer.exe
1580 C:\WINDOWS\RTHDCPL.exe
1604 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1620 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
1628 C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
1636 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
1648 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
1660 C:\Program Files\ClamWin\bin\ClamTray.exe
1668 C:\Program Files\QuickTime\QTTask.exe
1740 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
1816 C:\Program Files\OpenOffice.org 3\program\soffice.exe
1844 C:\Program Files\OpenOffice.org 3\program\soffice.bin
336 C:\WINDOWS\system32\spoolsv.exe
1008 svchost.exe
1064 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1188 C:\WINDOWS\system32\svchost.exe
1292 C:\Program Files\Java\jre6\bin\jqs.exe
988 C:\WINDOWS\system32\svchost.exe
1532 C:\WINDOWS\system32\svchost.exe
1760 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
1904 C:\WINDOWS\system32\svchost.exe
1936 wdfmgr.exe
2076 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
2160 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
2204 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
2288 C:\WINDOWS\system32\wuauclt.exe
2516 wmiprvse.exe
2924 C:\WINDOWS\system32\wuauclt.exe
532 wmiprvse.exe
2596 alg.exe
3952 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
3428 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
3396 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
2680 C:\Program Files\Google\Chrome\Application\chrome.exe
3872 C:\Program Files\Google\Chrome\Application\chrome.exe
4008 C:\Program Files\Google\Chrome\Application\chrome.exe
3940 C:\Program Files\Google\Chrome\Application\chrome.exe
2988 C:\Program Files\Google\Chrome\Application\chrome.exe
3592 C:\Documents and Settings\Owner\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`289c3a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: ST3100011A, Rev: 3.02

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD


Done!
 
Here is Extras.txt:


OTL Extras logfile created on: 8/20/2010 6:37:26 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

879.00 Mb Total Physical Memory | 348.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1320 2640 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.52 Gb Total Space | 41.55 Gb Free Space | 46.94% Space Free | Partition Type: NTFS
Drive D: | 4.63 Gb Total Space | 2.24 Gb Free Space | 48.36% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEORGETTECOMP
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 File not found
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe" = C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe:*:Enabled:WMP54Gv4 -- (Linksys)
"C:\TEMP\vlc-1.0.3\vlc.exe" = C:\TEMP\vlc-1.0.3\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\javaws.exe" = C:\Program Files\Java\jre6\bin\javaws.exe:*:Disabled:Java(TM) Web Start Launcher -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{15262012-213A-4f65-9019-C8A409EC0156}" = HP Officejet J6400 Series
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{188C0E25-3D65-4DAC-9C00-7483FBA4C7EB}" = Status
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{279D3818-7287-4ab4-A927-542EBEA9E365}" = ProductContext
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{380CC749-8C28-4C74-BE01-45921D062302}" = BPDSoftware_Ini
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{41853D20-40CC-4266-978D-F128BB97CA96}" = 6400_Help
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{5D934326-165A-413b-B056-26BE1EC082AF}" = J6400
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{676981B7-A2D9-49D0-9F4C-03018F131DA9}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{85C8D391-0EAE-4492-8A0A-2EE8B0B6DA03}" = BPDSoftware
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABA00898-9467-4689-9F40-DE7F58C8429C}" = Fax
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"avast5" = avast! Free Antivirus
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner (remove only)
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.96.1
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"DivX Setup.divx.com" = DivX Setup
"Google Chrome" = Google Chrome
"HP Document Manager" = HP Document Manager 1.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IrfanView" = IrfanView (remove only)
"Linksys Wireless Manager" = Linksys Wireless Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 6.0" = RealPlayer Basic
"Shop for HP Supplies" = Shop for HP Supplies
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.5
"WGA" = Windows Genuine Advantage Validation Tool
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/30/2009 7:56:38 PM | Computer Name = GEORGETTECOMP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 12/14/2009 2:07:35 AM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
Description = Faulting application hpqtra08.exe, version 100.0.170.0, faulting module
hpqusg.dll, version 100.0.170.0, fault address 0x00026418.

Error - 1/12/2010 2:12:36 AM | Computer Name = GEORGETTECOMP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/12/2010 10:32:01 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/21/2010 8:33:21 PM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
Description = Faulting application hpqtra08.exe, version 100.0.170.0, faulting module
hpqusg.dll, version 100.0.170.0, fault address 0x00026418.

Error - 2/12/2010 9:44:24 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/21/2010 10:00:01 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3642, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/22/2010 8:53:38 PM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2010 7:55:01 AM | Computer Name = GEORGETTECOMP | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 3/1/2010 4:29:06 AM | Computer Name = GEORGETTECOMP | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3685, faulting module
npswf32.dll, version 10.0.45.2, fault address 0x0017c735.

[ System Events ]
Error - 8/19/2010 10:27:14 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 8/19/2010 10:29:33 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
Description = The 6to4 service terminated with the following error: %%126

Error - 8/19/2010 10:29:52 PM | Computer Name = GEORGETTECOMP | Source = System Error | ID = 1003
Description = Error code 000000f4, parameter1 00000003, parameter2 84ca54e0, parameter3
84ca5654, parameter4 805c874a.

Error - 8/19/2010 10:31:09 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 8/19/2010 10:37:04 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
Description = The 6to4 service terminated with the following error: %%126

Error - 8/19/2010 10:38:53 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 8/19/2010 10:59:27 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 8/20/2010 8:32:14 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 8/20/2010 8:37:51 PM | Computer Name = GEORGETTECOMP | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 8/20/2010 8:37:51 PM | Computer Name = GEORGETTECOMP | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >
 
Status
Not open for further replies.

Similar threads

B
Solved Bestprosoft
Replies
23
Views
3K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back