Jump to content

watch-oscar-online tubezz.org malware prevents antivirus site access


Recommended Posts

Reposting this after instructions from forum:

On March 12, 2010 I did something not too bright. I was looking to watch the 2010 Academy Awards again and I followed a link from a Cleveland newspaper site to watch-oscar-online.com which directed me to tubezz.org (href="http://tubezz.org/oscars-2010/").

Dumb and dumber, I allowed the Active-X download, which caused an infection that I still cannot completely get rid of. I used malwarebytes (I had to go to another machine and transport via thumb drive). It found a trojan which I deleted, but it did not resolve the browser hijack.

I am sending this from another computer. From the infected notebook, an eee pc, I cannot access any anti-malware site, including malwarebytes. I am directed to a 404-style error page.

Has anyone else run into this problem?

==================

March 18:

Followed the instructions but the only thing I could get was a gmer log. DDS.scr and DDS.com pop open a DOS window for a second but don't give a log. Avira, like malwarebytes and every other anti-v, anti-m software I've run does NOT give any indication of a problem/infection.

Posting the gmer log

======================

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-18 14:13:50

Windows 5.1.2600 Service Pack 3

Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys

---- System - GMER 1.0.15 ----

SSDT F8BF80F6 ZwCreateKey

SSDT F8BF80EC ZwCreateThread

SSDT F8BF80FB ZwDeleteKey

SSDT F8BF8105 ZwDeleteValueKey

SSDT F8BF810A ZwLoadKey

SSDT F8BF80D8 ZwOpenProcess

SSDT F8BF80DD ZwOpenThread

SSDT F8BF8114 ZwReplaceKey

SSDT F8BF810F ZwRestoreKey

SSDT F8BF8100 ZwSetValueKey

SSDT F8BF80E7 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort1 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [F848EB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

===============

P.S. More info - Not to confuse things but ...

When I first was trying to deal with this, last week, I looked at the Task Manager processes running and removed or noted down some possibly suspicious things.

I removed c:\documents&etc\Admin\Local settings\temp\Fx1.exe

I removed c:\windows\fqomoa.exe

I segregated and subsequently replaced the Intel graphics drivers igfx-etc with a new set of Intel graphics drivers tweaked especially for the eee pc. These new drivers, attached to a process that allows you to swap screen resolution in the systray, could be the suspicious atapi.

Thanks for any help. :(

Link to post
Share on other sites

Hi ionavideo,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

Thanks, DL

Here is the TDSskiller text. Even though it says it found and removed something, my browser still cannot go to malwarebytes.org or safer-networking.org, the home of Spybot.

------------------------

10:22:14:984 2264 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20

10:22:14:984 2264 ================================================================================

10:22:14:984 2264 SystemInfo:

10:22:14:984 2264 OS Version: 5.1.2600 ServicePack: 3.0

10:22:14:984 2264 Product type: Workstation

10:22:14:984 2264 ComputerName: ASUS

10:22:14:984 2264 UserName: Administrator

10:22:14:984 2264 Windows directory: C:\WINDOWS

10:22:14:984 2264 Processor architecture: Intel x86

10:22:14:984 2264 Number of processors: 1

10:22:14:984 2264 Page size: 0x1000

10:22:15:000 2264 Boot type: Normal boot

10:22:15:000 2264 ================================================================================

10:22:15:000 2264 UnloadDriverW: NtUnloadDriver error 2

10:22:15:000 2264 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:22:15:093 2264 wfopen_ex: Trying to KLMD file open

10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2)

10:22:15:093 2264 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

10:22:15:093 2264 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:22:15:093 2264 wfopen_ex: Trying to KLMD file open

10:22:15:093 2264 wfopen_ex: File opened ok (Flags 2)

10:22:15:093 2264 Initialize success

10:22:15:093 2264

10:22:15:093 2264 Scanning Services ...

10:22:16:500 2264 GetAdvancedServicesInfo: Raw services enum returned 243 services

10:22:16:515 2264

10:22:16:515 2264 Scanning Kernel memory ...

10:22:16:515 2264 Devices to scan: 6

10:22:16:515 2264

10:22:16:515 2264 Driver Name: Disk

10:22:16:515 2264 IRP_MJ_CREATE : F8578BB0

10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E

10:22:16:515 2264 IRP_MJ_CLOSE : F8578BB0

10:22:16:515 2264 IRP_MJ_READ : F8572D1F

10:22:16:515 2264 IRP_MJ_WRITE : F8572D1F

10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E

10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2

10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F85733BB

10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28

10:22:16:515 2264 IRP_MJ_SHUTDOWN : F85732E2

10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E

10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E

10:22:16:515 2264 IRP_MJ_POWER : F8574C82

10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F857999E

10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E

10:22:16:515 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

10:22:16:515 2264

10:22:16:515 2264 Driver Name: usbstor

10:22:16:515 2264 IRP_MJ_CREATE : F8907218

10:22:16:515 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E

10:22:16:515 2264 IRP_MJ_CLOSE : F8907218

10:22:16:515 2264 IRP_MJ_READ : F890723C

10:22:16:515 2264 IRP_MJ_WRITE : F890723C

10:22:16:515 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_EA : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_EA : 804FA87E

10:22:16:515 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E

10:22:16:515 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_DEVICE_CONTROL : F8907180

10:22:16:515 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6

10:22:16:515 2264 IRP_MJ_SHUTDOWN : 804FA87E

10:22:16:515 2264 IRP_MJ_LOCK_CONTROL : 804FA87E

10:22:16:515 2264 IRP_MJ_CLEANUP : 804FA87E

10:22:16:515 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_SECURITY : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_SECURITY : 804FA87E

10:22:16:515 2264 IRP_MJ_POWER : F89065F0

10:22:16:515 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E

10:22:16:515 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E

10:22:16:515 2264 IRP_MJ_QUERY_QUOTA : 804FA87E

10:22:16:515 2264 IRP_MJ_SET_QUOTA : 804FA87E

10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

10:22:16:531 2264

10:22:16:531 2264 Driver Name: Disk

10:22:16:531 2264 IRP_MJ_CREATE : F8578BB0

10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E

10:22:16:531 2264 IRP_MJ_CLOSE : F8578BB0

10:22:16:531 2264 IRP_MJ_READ : F8572D1F

10:22:16:531 2264 IRP_MJ_WRITE : F8572D1F

10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E

10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2

10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F85733BB

10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28

10:22:16:531 2264 IRP_MJ_SHUTDOWN : F85732E2

10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E

10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E

10:22:16:531 2264 IRP_MJ_POWER : F8574C82

10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F857999E

10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_QUOTA : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_QUOTA : 804FA87E

10:22:16:531 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

10:22:16:531 2264

10:22:16:531 2264 Driver Name: usbstor

10:22:16:531 2264 IRP_MJ_CREATE : F8907218

10:22:16:531 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E

10:22:16:531 2264 IRP_MJ_CLOSE : F8907218

10:22:16:531 2264 IRP_MJ_READ : F890723C

10:22:16:531 2264 IRP_MJ_WRITE : F890723C

10:22:16:531 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_EA : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_EA : 804FA87E

10:22:16:531 2264 IRP_MJ_FLUSH_BUFFERS : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E

10:22:16:531 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_DEVICE_CONTROL : F8907180

10:22:16:531 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F89029E6

10:22:16:531 2264 IRP_MJ_SHUTDOWN : 804FA87E

10:22:16:531 2264 IRP_MJ_LOCK_CONTROL : 804FA87E

10:22:16:531 2264 IRP_MJ_CLEANUP : 804FA87E

10:22:16:531 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E

10:22:16:531 2264 IRP_MJ_QUERY_SECURITY : 804FA87E

10:22:16:531 2264 IRP_MJ_SET_SECURITY : 804FA87E

10:22:16:531 2264 IRP_MJ_POWER : F89065F0

10:22:16:531 2264 IRP_MJ_SYSTEM_CONTROL : F8904A6E

10:22:16:531 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E

10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E

10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

10:22:16:546 2264

10:22:16:546 2264 Driver Name: Disk

10:22:16:546 2264 IRP_MJ_CREATE : F8578BB0

10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E

10:22:16:546 2264 IRP_MJ_CLOSE : F8578BB0

10:22:16:546 2264 IRP_MJ_READ : F8572D1F

10:22:16:546 2264 IRP_MJ_WRITE : F8572D1F

10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_INFORMATION : 804FA87E

10:22:16:546 2264 IRP_MJ_QUERY_EA : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_EA : 804FA87E

10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F85732E2

10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E

10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : 804FA87E

10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E

10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F85733BB

10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8576F28

10:22:16:546 2264 IRP_MJ_SHUTDOWN : F85732E2

10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : 804FA87E

10:22:16:546 2264 IRP_MJ_CLEANUP : 804FA87E

10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : 804FA87E

10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_SECURITY : 804FA87E

10:22:16:546 2264 IRP_MJ_POWER : F8574C82

10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F857999E

10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : 804FA87E

10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : 804FA87E

10:22:16:546 2264 IRP_MJ_SET_QUOTA : 804FA87E

10:22:16:546 2264 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

10:22:16:546 2264

10:22:16:546 2264 Driver Name: atapi

10:22:16:546 2264 IRP_MJ_CREATE : F848EB3A

10:22:16:546 2264 IRP_MJ_CREATE_NAMED_PIPE : F848EB3A

10:22:16:546 2264 IRP_MJ_CLOSE : F848EB3A

10:22:16:546 2264 IRP_MJ_READ : F848EB3A

10:22:16:546 2264 IRP_MJ_WRITE : F848EB3A

10:22:16:546 2264 IRP_MJ_QUERY_INFORMATION : F848EB3A

10:22:16:546 2264 IRP_MJ_SET_INFORMATION : F848EB3A

10:22:16:546 2264 IRP_MJ_QUERY_EA : F848EB3A

10:22:16:546 2264 IRP_MJ_SET_EA : F848EB3A

10:22:16:546 2264 IRP_MJ_FLUSH_BUFFERS : F848EB3A

10:22:16:546 2264 IRP_MJ_QUERY_VOLUME_INFORMATION : F848EB3A

10:22:16:546 2264 IRP_MJ_SET_VOLUME_INFORMATION : F848EB3A

10:22:16:546 2264 IRP_MJ_DIRECTORY_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_FILE_SYSTEM_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_DEVICE_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_INTERNAL_DEVICE_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_SHUTDOWN : F848EB3A

10:22:16:546 2264 IRP_MJ_LOCK_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_CLEANUP : F848EB3A

10:22:16:546 2264 IRP_MJ_CREATE_MAILSLOT : F848EB3A

10:22:16:546 2264 IRP_MJ_QUERY_SECURITY : F848EB3A

10:22:16:546 2264 IRP_MJ_SET_SECURITY : F848EB3A

10:22:16:546 2264 IRP_MJ_POWER : F848EB3A

10:22:16:546 2264 IRP_MJ_SYSTEM_CONTROL : F848EB3A

10:22:16:546 2264 IRP_MJ_DEVICE_CHANGE : F848EB3A

10:22:16:546 2264 IRP_MJ_QUERY_QUOTA : F848EB3A

10:22:16:546 2264 IRP_MJ_SET_QUOTA : F848EB3A

10:22:16:546 2264 Driver "atapi" infected by TDSS rootkit!

10:22:16:562 2264 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1

10:22:16:562 2264 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 10:22:16:562 2264 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

10:22:16:562 2264 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

10:22:16:640 2264 vfvi6

10:22:16:984 2264 !dsvbh1

10:22:17:937 2264 dsvbh2

10:22:17:937 2264 fdfb2

10:22:17:937 2264 Backup copy found, using it..

10:22:18:203 2264 will be cured on next reboot

10:22:18:203 2264 Reboot required for cure complete..

10:22:18:234 2264 Cure on reboot scheduled successfully

10:22:18:234 2264

10:22:18:234 2264 Completed

10:22:18:234 2264

10:22:18:234 2264 Results:

10:22:18:234 2264 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

10:22:18:234 2264 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:22:18:234 2264 File objects infected / cured / cured on reboot: 1 / 0 / 1

10:22:18:234 2264

10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

10:22:18:234 2264 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

10:22:18:234 2264 UnloadDriverW: NtUnloadDriver error 1

10:22:18:234 2264 KLMD_Unload: UnloadDriverW(klmd21) error 1

10:22:18:250 2264 KLMD(ARK) unloaded successfully

-------------------------

[*]Download the file TDSSKiller.zip and save it on your desktop

[*]Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop

[*]Next double-click the tdsskiller Folder on your desktop.

[*]Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.

[*]Highlight and copy the text in the codebox below.

"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"

[*]Click Start, click Run... and paste the text above into the Open: line and click OK.

[*]Wait for the scan and disinfection process to be over.

[*]Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

Hi ionavideo,

Even though it says it found and removed something, my browser still cannot go to malwarebytes.org

That's OK, it will take several steps to complete the clean up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of these 2 Notepad files in your next reply.

Link to post
Share on other sites

Hi, here are the OTL results - I'm attaching the txt files.

=====================

OTL logfile created on: 3/20/2010 3:44:53 AM - Run 2

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 343.00 Mb Available Physical Memory | 68.00% Memory free

974.00 Mb Paging File | 852.00 Mb Available in Paging File | 87.00% Paging File free

Paging file location(s): C:\pagefile.sys 500 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS

Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32

Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ASUS

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools)

PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\random.exe (OldTimer Tools)

MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll ()

MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)

========== Win32 Services (SafeList) ==========

SRV - (UPS) -- File not found

SRV - (ose) -- File not found

SRV - (odserv) -- File not found

SRV - (ClipSrv) -- File not found

SRV - (CiSvc) -- File not found

SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)

========== Driver Services (SafeList) ==========

DRV - (utm5nje2) -- C:\WINDOWS\system32\drivers\utm5nje2.sys ()

DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found

O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.117,93.188.161.67

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/20 03:44:28 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2010/03/20 03:16:15 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe

[2010/03/19 11:38:27 | 000,000,000 | --SD | C] -- C:\bocomfx

[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer

[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll

[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe

[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll

[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip

[2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder

[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers

[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera

[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff

[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools

[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8

[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware

[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files

[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable

[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6

[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild

[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer

[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us

[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies

[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe

[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll

[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll

[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos

[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll

[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly

[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET

[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll

[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll

[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys

[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys

[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax

[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll

[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys

[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010

[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/20 03:24:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/20 03:24:24 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/03/20 03:24:24 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/03/20 03:24:17 | 005,879,024 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/19 18:23:44 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\random.exe

[2010/03/18 13:44:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com

[2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/03/16 21:26:22 | 000,007,168 | ---- | M] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys

[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:53:30 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 14:34:22 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

[2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk

[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/13 13:19:48 | 003,888,953 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe

[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI

[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com

[2010/03/16 21:26:22 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\utm5nje2.sys

[2010/03/14 19:04:37 | 003,888,953 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\bocomfx.exe

[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe

[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 14:34:22 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe

[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll

[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll

[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll

[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll

[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll

< End of report >

======================

EXTRAS

OTL Extras logfile created on: 3/20/2010 3:36:02 AM - Run 1

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 351.00 Mb Available Physical Memory | 70.00% Memory free

974.00 Mb Paging File | 865.00 Mb Available in Paging File | 89.00% Paging File free

Paging file location(s): C:\pagefile.sys 500 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 3.72 Gb Total Space | 1.23 Gb Free Space | 33.07% Space Free | Partition Type: NTFS

Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.27% Space Free | Partition Type: FAT32

Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ASUS

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found

htmlfile [open] -- Reg Error: Key error.

htmlfile [opennew] -- Reg Error: Key error.

htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found

http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)

https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- Reg Error: Key error.

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

"C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.)

"E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6

"{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program

"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1

"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5

"{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter

"{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"7-Zip" = 7-Zip 4.65

"Adobe Acrobat 5.0" = Adobe Acrobat 5.0

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Photoshop 7.0" = Adobe Photoshop 7.0

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"Audacity_is1" = Audacity 1.2.6

"CCleaner" = CCleaner

"Cool Edit Pro 2.1" = Cool Edit Pro 2.1

"Gadwin PrintScreen" = Gadwin PrintScreen

"Hauppauge WinTV 7" = Hauppauge WinTV 7

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 2.0.2

"Karen's Computer Profiler" = Karen's Computer Profiler

"Karen's Time Sync" = Karen's Time Sync

"Karen's WhoIs" = Karen's WhoIs

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5

"Nero - Burning Rom!UninstallKey" = Nero OEM

"OVT Scanner" = Uninstall OVT Scanner

"QuicktimeAlt_is1" = QuickTime Alternative 3.0.0

"RealAlt_is1" = Real Alternative 2.0.1

"ST6UNST #1" = Karen's Disk Slack Checker

"SUPER

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Hi ionavideo,

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :otl
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.117,93.188.161.67
    :commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Now please try to access the sites that were blocked and let me know if you now have access to the sites.

Link to post
Share on other sites

Alas, DeltaLima, would 'twere that easy.

They are clever.

Here is the log. I cannot get to malwarebytes.org or spybot (safer-networking.org).

I don't want to confuse things with too much information, but I do have:

- someone else answered my original post with some info on where the tubezz.org url redirects to -- Ohmniscient's post. I can't find the message placed on malwarebytes, but I did find another post at McAfee site:

-------------------------------

"then redirects to:

http://update-center.net/microsoft/get_update.php?sid=2

which redirects to: http://thetubestores.com/xplays.php?id=45158, which redirects to: http://besttoolsonline.com/video-plugin.45158.exe

which is a malware!

-----------------------------------------------

- This article just came up on Google: "It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year

Link to post
Share on other sites

Hi ionavideo,

Alas, DeltaLima, would 'twere that easy.

Please be patient, as mentioned in my earlier post it will take several steps to complete the clean up and we need to logically work through them.

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Upload a File to Virustotal

Please go to Virustotal

Browse to the folder and select fqomoa.exe that you saved.

Press Submit - this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

Create a batch file

  1. Open Notepad.
  2. Copy/paste the following text into the empty Notepad window.
    @echo off
    Nslookup www.malwarebytes.org>> results.txt 2>>&1
    Nslookup www.safer-networking.org>> results.txt 2>>&1
    Ping www.malwarebytes.org>> results.txt 2>>&1
    ping www.safer-networking>> results.txt 2>>&1
    start notepad results.txt
    Del %0


  3. Save the file as xxx.bat on your desktop. Save it with the file type... all types *.*.
  4. Double click the file xxx.bat to execute.

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the results from Virustotal.

Link to post
Share on other sites

Okay.

Ran TFC. It took a few seconds.

Uploaded fqomoa.exe to Virus Total. I don't understand, is 67% bad? It's a passing grade. Note that I have to do things from the desktop pc, so the upload to VirusTotal is done from the non-infected desktop.

My little eee pc does not compute nslookup or ping. I tested the script on the desktop pc and it did return DNS for both, but was only able to contact safer-net.

========================

VirusTotal

Scan of fqomoa.exe

File Fqomoa.exe received on 2010.03.21 02:05:35 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 28/42 (66.67%)

============================================================================

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.20 Packed.Win32.Krap.as!A2

AhnLab-V3 5.0.0.2 2010.03.20 -

AntiVir 8.2.1.196 2010.03.19 TR/Crypt.XPACK.Gen2

Antiy-AVL 2.0.3.7 2010.03.19 Packed/Win32.Krap.gen

Authentium 5.2.0.5 2010.03.21 W32/FraudPack.E!Generic

Avast 4.8.1351.0 2010.03.20 Win32:Rootkit-gen

Avast5 5.0.332.0 2010.03.20 Win32:Rootkit-gen

AVG 9.0.0.787 2010.03.20 FakeAV.ACM

BitDefender 7.2 2010.03.21 -

CAT-QuickHeal 10.00 2010.03.19 Trojan.Krap.as

ClamAV 0.96.0.0-git 2010.03.20 -

Comodo 4335 2010.03.21 -

DrWeb 5.0.1.12222 2010.03.21 Trojan.DownLoad1.16994

eSafe 7.0.17.0 2010.03.18 -

eTrust-Vet 35.2.7376 2010.03.19 Win32/Wardunlo.EG

F-Prot 4.5.1.85 2010.03.21 W32/FraudPack.E!Generic

F-Secure 9.0.15370.0 2010.03.20 -

Fortinet 4.0.14.0 2010.03.20 -

GData 19 2010.03.21 Win32:Rootkit-gen

Ikarus T3.1.1.80.0 2010.03.20 -

Jiangmin 13.0.900 2010.03.20 Packed.Krap.brif

K7AntiVirus 7.10.1002 2010.03.19 -

Kaspersky 7.0.0.125 2010.03.21 Packed.Win32.Krap.as

McAfee 5926 2010.03.20 Downloader-CEW

McAfee+Artemis 5926 2010.03.20 Downloader-CEW

McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Crypt.XPACK.Gen2

Microsoft 1.5605 2010.03.20 TrojanDownloader:Win32/Renos.KF

NOD32 4961 2010.03.20 Win32/TrojanDownloader.FakeAlert.AQI

Norman 6.04.09 2010.03.20 -

nProtect 2009.1.8.0 2010.03.20 -

Panda 10.0.2.2 2010.03.20 -

PCTools 7.0.3.5 2010.03.20 -

Prevx 3.0 2010.03.21 Medium Risk Malware

Rising 22.39.06.01 2010.03.21 Trojan.Win32.Nodef.zaf

Sophos 4.51.0 2010.03.21 Mal/FakeAV-CO

Sunbelt 5999 2010.03.21 Trojan.Win32.Generic!SB.0

Symantec 20091.2.0.41 2010.03.21 Suspicious.Insight

TheHacker 6.5.2.0.241 2010.03.21 Trojan/Krap.as

TrendMicro 9.120.0.1004 2010.03.20 TROJ_RENOS.SMPE

VBA32 3.12.12.2 2010.03.19 -

ViRobot 2010.3.19.2236 2010.03.20 Trojan.Win32.Krap.152064.E

VirusBuster 5.0.27.0 2010.03.20 Trojan.Codecpack.Gen.3

Additional information

File size: 152064 bytes

MD5...: a05fa53fb7b153933193d8e636d9132e

SHA1..: 761432e3cc4942d3a2b51f0d9e087d900c588cff

SHA256: 1b48d574076109503221c9fa698d33ee9df6c41b115ab38b3e6614995ef9cffc

ssdeep: 3072:uCoV0uyTwEwc1Iq+p/xwnvnd6fqXWIpRd:m01rJIq+pZwn/UiGIB

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1446

timedatestamp.....: 0x4aeb0cb7 (Fri Oct 30 15:56:39 2009)

machinetype.......: 0x14c (I386)

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

BSS 0x1000 0x697e 0x6a00 5.42 b2f8f08fdd6ab7545d68a7ac25769281

DATA 0x8000 0x32cc5 0x1ce00 7.27 027ec3a7754f776339b6377ac7c69d3f

.tls 0x3b000 0x101d 0x1200 2.70 ce10e5f1eb474d8669597ac678b2dfda

.edata 0x3d000 0x12b 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b

.data 0x3e000 0x1e0 0x200 0.06 ca23f95849f3213e71961b45b3f0f880

( 6 imports )

> KERNEL32.DLL: LocalAlloc, GetStartupInfoA, ExitProcess, FindResourceA, CreateFileA, VirtualAlloc, GetUserDefaultLCID, GetStringTypeA, GetStringTypeW, GetVersion, VirtualAllocEx, SetEndOfFile, LocalFree, MoveFileA, GetOEMCP, InitializeCriticalSection, GetProcessHeap, lstrlenA, LoadLibraryExA

> user32.dll: DrawMenuBar, GetMenuItemInfoA, MessageBoxA, EnumThreadWindows, GetSysColor, CreateWindowExA, DrawFrameControl, DrawIcon, SetWindowTextA, DrawEdge, CreatePopupMenu, BeginDeferWindowPos, EndDeferWindowPos, SystemParametersInfoA, DefMDIChildProcA, GetMenuState, RegisterClassA, FrameRect

> comdlg32.dll: GetOpenFileNameA

> OLE32.DLL: StringFromIID, CoCreateGuid, CoGetMalloc, WriteClassStm, CreateOleAdviseHolder, CoUnmarshalInterface

> advapi32.dll: RegDeleteValueA

> MSVCRT.DLL: atol, time, sprintf, wcscspn, exit, swprintf, rand, memcpy, tolower, sqrt, calloc, memmove, memset

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (38.4%)

Win32 Dynamic Link Library (generic) (34.2%)

Clipper DOS Executable (9.1%)

Generic Win/DOS Executable (9.0%)

DOS Executable Generic (9.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=F0887DE30065B2CD525E027B77201F0070C8CDC2</a>

=============================

script

'Nslookup' is not recognized as an internal or external command,

operable program or batch file.

'Nslookup' is not recognized as an internal or external command,

operable program or batch file.

'Ping' is not recognized as an internal or external command,

operable program or batch file.

'ping' is not recognized as an internal or external command,

operable program or batch file.

===================

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the results from Virustotal.
Link to post
Share on other sites

Hi ionavideo,

Note that I have to do things from the desktop pc

Please clarify, is Internet access completely blocked on the infected PC or just access to Security related sites such as Malwarebytes ?

Also please confirm that your ISP is COX-ATLANTA.

Please submit the following files to Virustotal and post the results in your next reply.

C:\WINDOWS\system32\drivers\utm5nje2.sys

C:\Documents and Settings\Administrator\Desktop\bocomfx.exe

It seems that Combofix has already been run on the computer, please post the log from that run it should be located at c:\combofix.txt

Now please run a new GMER scan using the original instructions and post the log in your next reply.

Link to post
Share on other sites

Thank you, DeltaLima. We don't want you saying this is a thankless job. :unsure:

Internet access is not blocked on the infected PC.

The ISP is Cox Cable.

bocomfx.exe is my renaming of combofix. I could not get it to run properly, and it still can't. It says "PING is not recognized" and "Combofix is preparing to run" and then nothing. I think I screwed something up when I put it on the PC, because ... well nevermind, it's off the topic.

Here is Virus Total for both files:

===================

virustotal results

File utm5nje2.sys received on 2010.03.22 13:39:22 (UTC)

Current status: finished

Result: 18/42 (42.86%)

Compact

================================

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.22 Trojan.Win32.Bagle!IK

AhnLab-V3 5.0.0.2 2010.03.22 -

AntiVir 8.2.1.196 2010.03.22 -

Antiy-AVL 2.0.3.7 2010.03.19 -

Authentium 5.2.0.5 2010.03.22 W32/Bagle.IJ

Avast 4.8.1351.0 2010.03.22 -

Avast5 5.0.332.0 2010.03.22 -

AVG 9.0.0.787 2010.03.22 -

BitDefender 7.2 2010.03.22 -

CAT-QuickHeal 10.00 2010.03.22 -

ClamAV 0.96.0.0-git 2010.03.22 Trojan.Agent-66914

Comodo 4349 2010.03.22 -

DrWeb 5.0.1.12222 2010.03.22 -

eSafe 7.0.17.0 2010.03.21 Win32.Bagle.RC.worm

eTrust-Vet 35.2.7381 2010.03.22 -

F-Prot 4.5.1.85 2010.03.22 W32/Bagle.IJ

F-Secure 9.0.15370.0 2010.03.22 Rootkit:W32/Bagle.SR

Fortinet 4.0.14.0 2010.03.22 W32/Bagle.ZNG!worm

GData 19 2010.03.22 -

Ikarus T3.1.1.80.0 2010.03.22 Trojan.Win32.Bagle

Jiangmin 13.0.900 2010.03.22 Trojan/Agent.cmdf

K7AntiVirus 7.10.1002 2010.03.19 Trojan.Win32.Malware.1

Kaspersky 7.0.0.125 2010.03.22 -

McAfee 5927 2010.03.21 -

McAfee+Artemis 5927 2010.03.21 -

McAfee-GW-Edition 6.8.5 2010.03.22 -

Microsoft 1.5605 2010.03.22 -

NOD32 4965 2010.03.22 -

Norman 6.04.09 2010.03.22 W32/Bagle.GEX

nProtect 2009.1.8.0 2010.03.22 Worm/W32.Bagle.7168

Panda 10.0.2.2 2010.03.22 -

PCTools 7.0.3.5 2010.03.22 Trojan-Downloader.Bagle

Prevx 3.0 2010.03.22 Medium Risk Malware

Rising 22.40.00.04 2010.03.22 Trojan.Win32.Generic.51E920C9

Sophos 4.51.0 2010.03.22 -

Sunbelt 6024 2010.03.22 Trojan.Win32.Generic!BT

Symantec 20091.2.0.41 2010.03.22 -

TheHacker 6.5.2.0.241 2010.03.22 Trojan/Rootkit.gen

TrendMicro 9.120.0.1004 2010.03.22 -

VBA32 3.12.12.2 2010.03.19 -

ViRobot 2010.3.22.2238 2010.03.22 Trojan.Win32.Bagle.7168

VirusBuster 5.0.27.0 2010.03.21 -

==================

Additional information

File size: 7168 bytes

MD5...: 524d8d450622db4a7875b111c299a76b

SHA1..: fe22db1e0b864e77baeca5520c05c42431784fd8

SHA256: 7ae9aae77884ac0baa2f8168b3ed4de0c0c9834a42d8e5a775f47a2c66cec237

ssdeep: 96:wQQovxXZHQ7SioGfU2zSVeUvaUOPLNI8n1Sw1xJj0o:w+PQ/oV2z2eaaUOW8R

I

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x1990

timedatestamp.....: 0x4788d40f (Sat Jan 12 14:51:59 2008)

machinetype.......: 0x14c (I386)

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x9d4 0xa00 5.78 b65e29f81689fbde8b3d49891e4011de

.rdata 0x2000 0x144 0x200 2.93 4c5e3a3a7d9a4ad57704be677563d7ca

.data 0x3000 0x20 0x200 0.26 4f4f5306b935a3d853c02c6c206aa506

INIT 0x4000 0x292 0x400 3.74 a077364ef66a2ed1ad88d7557f37474a

.rsrc 0x5000 0x300 0x400 2.56 85021f99de084aa59772f678fd7aaf3a

.reloc 0x6000 0x106 0x200 2.65 173202905f3e2cfaecaf72eb73fd3c1c

( 2 imports )

> ntoskrnl.exe: MmIsAddressValid, MmProbeAndLockPages, MmMapLockedPagesSpecifyCache, MmBuildMdlForNonPagedPool, IoAllocateMdl, _except_handler3, ObfDereferenceObject, ObReferenceObjectByName, MmUnlockPages, RtlInitUnicodeString, KeServiceDescriptorTable, PsGetCurrentProcessId, IoGetCurrentProcess, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, IoDeleteSymbolicLink, IoFreeMdl, IoDriverObjectType, IofCompleteRequest

> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b' target='_blank'>http://www.threatexpert.com/report.aspx?md5=524d8d450622db4a7875b111c299a76b</a>

sigcheck:

publisher....: n/a

copyright....: Zaitsev Oleg, Copyright © 2004-2006

product......: AVZ Driver

description..: AVZ Driver

original name: avz.sys

internal name: avz.sys

file version.: 1, 2, 0, 0

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=16590770003B863E1CA000B5C14F3D00CCFB2D16</a>

---------------------------------

File bocomfx.exe received on 2010.03.22 13:47:59 (UTC)

Current status: finished

Result: 7/42 (16.67%)

======================

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.22 -

AhnLab-V3 5.0.0.2 2010.03.22 -

AntiVir 8.2.1.196 2010.03.22 -

Antiy-AVL 2.0.3.7 2010.03.19 -

Authentium 5.2.0.5 2010.03.22 -

Avast 4.8.1351.0 2010.03.22 -

Avast5 5.0.332.0 2010.03.22 -

AVG 9.0.0.787 2010.03.22 -

BitDefender 7.2 2010.03.22 -

CAT-QuickHeal 10.00 2010.03.22 -

ClamAV 0.96.0.0-git 2010.03.22 -

Comodo 4349 2010.03.22 ApplicUnsaf.Win32.Hide.~AB

DrWeb 5.0.1.12222 2010.03.22 -

eSafe 7.0.17.0 2010.03.21 -

eTrust-Vet 35.2.7381 2010.03.22 -

F-Prot 4.5.1.85 2010.03.22 -

F-Secure 9.0.15370.0 2010.03.22 -

Fortinet 4.0.14.0 2010.03.22 PossibleThreat

GData 19 2010.03.22 -

Ikarus T3.1.1.80.0 2010.03.22 -

Jiangmin 13.0.900 2010.03.22 Backdoor/RBot.oqm

K7AntiVirus 7.10.1002 2010.03.19 -

Kaspersky 7.0.0.125 2010.03.22 -

McAfee 5927 2010.03.21 -

McAfee+Artemis 5927 2010.03.21 Artemis!696CAFEF7D46

McAfee-GW-Edition 6.8.5 2010.03.22 -

Microsoft 1.5605 2010.03.22 -

NOD32 4965 2010.03.22 -

Norman 6.04.09 2010.03.22 -

nProtect 2009.1.8.0 2010.03.22 -

Panda 10.0.2.2 2010.03.22 -

PCTools 7.0.3.5 2010.03.22 Application.NirCmd

Prevx 3.0 2010.03.22 -

Rising 22.40.00.04 2010.03.22 -

Sophos 4.51.0 2010.03.22 NirCmd

Sunbelt 6024 2010.03.22 -

Symantec 20091.2.0.41 2010.03.22 -

TheHacker 6.5.2.0.241 2010.03.22 -

TrendMicro 9.120.0.1004 2010.03.22 -

VBA32 3.12.12.2 2010.03.19 Trojan.Win32.Agent2.cpop

ViRobot 2010.3.22.2238 2010.03.22 -

VirusBuster 5.0.27.0 2010.03.21 -

Additional information

File size: 3888953 bytes

MD5...: 696cafef7d468312521ca0daf9443c22

SHA1..: cf338a8111bb34c47023cd27ed9e15576a253116

SHA256: 12139e4259122142a5e79877faa8404d2add9ba36acfbd38dd1af6e884a0b43b

ssdeep: 98304:ZdT5ACRG3hpdqdg4t6lrhikwZqIB+HpPsFj8:7y+GIdtWikwvoH6Fj8

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x25a60

timedatestamp.....: 0x4a6427af (Mon Jul 20 08:15:43 2009)

machinetype.......: 0x14c (I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

UPX0 0x1000 0x1a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

UPX1 0x1b000 0xb000 0xac00 7.91 1bc1245ff9048fed736ae63682ed39f4

.rsrc 0x26000 0x2000 0x1800 4.36 e4b3312c3ff4026176ec0979d40e3540

( 9 imports )

> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess

> ADVAPI32.dll: RegCloseKey

> COMCTL32.dll: -

> COMDLG32.dll: GetSaveFileNameA

> GDI32.dll: DeleteDC

> ole32.dll: OleInitialize

> OLEAUT32.dll: -

> SHELL32.dll: SHGetMalloc

> USER32.dll: GetDC

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: UPX compressed Win32 Executable (39.5%)

Win32 EXE Yoda's Crypter (34.3%)

Win32 Executable Generic (11.0%)

Win32 Dynamic Link Library (generic) (9.8%)

Generic Win/DOS Executable (2.5%)

packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.PECompact, PecBundle, PECompact, PE_Patch.PECompact, PecBundle, PECompact, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

packers (F-Prot): RAR, UPX, PecBundle, PECompact

====================

Here is the GMER file

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-22 09:05:15

Windows 5.1.2600 Service Pack 3

Running: mrge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdrpoc.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

====================

Toodles.

Please clarify, is Internet access completely blocked on the infected PC or just access to Security related sites such as Malwarebytes ?

Also please confirm that your ISP is COX-ATLANTA.

Please submit the following files to Virustotal and post the results in your next reply.

C:\WINDOWS\system32\drivers\utm5nje2.sys

C:\Documents and Settings\Administrator\Desktop\bocomfx.exe

It seems that Combofix has already been run on the computer, please post the log from that run it should be located at c:\combofix.txt

Now please run a new GMER scan using the original instructions and post the log in your next reply.

Link to post
Share on other sites

Hi ionavideo,

bocomfx.exe is my renaming of combofix - It says "PING is not recognized"

It's the same reason that the batch file failed, some tools (e.g. ping) are not installed on the computer.

OK, let's Uninstall ComboFix

  • Click START then RUN
  • Now type bocomfx /Uninstall in the runbox and click OK (note the space between x and /)

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :services
    utm5nje2
    :files
    C:\WINDOWS\system32\drivers\utm5nje2.sys


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Next we really need to get the batch file to run so that we can see what is blocking the security sites.

Please use a pen drive to copy the following 3 files from C:\Windows\System32 on the working computer to the same folder on the infected computer, if the files already exist on the infected computer then do NOT replace them.

Ping.exe
Nslookup.exe
Ipconfig.exe

Now we will try an extended version of the batch file

Create a batch file

  1. Open Notepad.
  2. Copy/paste the following text into the empty Notepad window.
    @echo off
    Del results.txt
    Nslookup www.malwarebytes.org >> results.txt 2>>&1
    Nslookup www.safer-networking.org >> results.txt 2>>&1
    ping www.safer-networking.org >> results.txt 2>>&1
    ipconfig /all >> results.txt 2>>&1
    ipconfig /flushdns >> results.txt 2>>&1
    Nslookup www.malwarebytes.org >> results.txt 2>>&1
    Nslookup www.safer-networking.org >> results.txt 2>>&1
    ping www.safer-networking.org >> results.txt 2>>&1
    start notepad results.txt
    Del %0


  3. Save the file as xxx.bat on your desktop. Save it with the file type... all types *.*. Replace the existing file if prompted.
  4. Double click the file xxx.bat to execute.

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the log from OTL.

Link to post
Share on other sites

Okey dokey

-----------------------------

March 23 Results.txt

*** Can't find server name for address 93.188.162.117: Server failed

Server: 93.188.161.67.static.ukrtelegroup.com.ua

Address: 93.188.161.67

Name: www.malwarebytes.org

*** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain

Server: 93.188.162.117.static.ukrtelegroup.com.ua

Address: 93.188.162.117

Ping request could not find host www.safer-networking.org. Please check the name and try again.

Windows IP Configuration

Host Name . . . . . . . . . . . . : asus

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : dc.dc.cox.net

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : dc.dc.cox.net

Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter

Physical Address. . . . . . . . . : 00-15-AF-67-50-24

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.117

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 93.188.162.117

93.188.161.67

Lease Obtained. . . . . . . . . . : Tuesday, March 23, 2010 3:36:07 PM

Lease Expires . . . . . . . . . . : Wednesday, March 24, 2010 3:36:07 PM

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller

Physical Address. . . . . . . . . : 00-1E-8C-41-7C-C8

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

Server: 93.188.162.117.static.ukrtelegroup.com.ua

Address: 93.188.162.117

Name: www.malwarebytes.org

*** 93.188.162.117.static.ukrtelegroup.com.ua can't find www.safer-networking.org: Non-existent domain

Server: 93.188.162.117.static.ukrtelegroup.com.ua

Address: 93.188.162.117

Ping request could not find host www.safer-networking.org. Please check the name and try again.

------------------------------------

March 23 OTL report

========== SERVICES/DRIVERS ==========

Service utm5nje2 stopped successfully!

Service utm5nje2 deleted successfully!

Error: No service named :files was found to stop!

Service\Driver key :files not found.

Error: No service named C:\WINDOWS\system32\drivers\utm5nje2.sys was found to stop!

Service\Driver key C:\WINDOWS\system32\drivers\utm5nje2.sys not found.

OTL by OldTimer - Version 3.1.37.3 log created on 03232010_151434

=======================

About Start-Run: I don't have a Start-Run. At least I can't find it. I always go to a command line prompt when I'm following instructions that say Start-Run. In this case the command line uninstall instruction couldn't find the file. Can't I just delete the bocomfx.exe file?

Thank you, DL.

results.txt should open in Notepad automatically when the script has complete, post the contents of this file in your next response along with the log from OTL.
Link to post
Share on other sites

Hi ionavideo,

I don't have a Start-Run. At least I can't find it. I always go to a command line prompt when I'm following instructions that say Start-Run. In this case the command line uninstall instruction couldn't find the file

At the command prompt type

"%userprofile%\desktop\bocomfx /Uninstall"

Make sure you include the quote marks at the start and end of the line.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code
    :otl
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.117,93.188.161.67

    :files
    C:\WINDOWS\system32\drivers\utm5nje2.sys


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot, save a copy of the log to post in your next reply.

Run OTL Scan

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

    [*]Please post the contents of OTL.txt and the result from the Fix in your next reply

Link to post
Share on other sites

Hi, here's the OTL script reply

========== OTL ==========

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!

========== FILES ==========

C:\WINDOWS\system32\drivers\utm5nje2.sys moved successfully.

OTL by OldTimer - Version 3.1.37.3 log created on 03252010_195224

------------------------

and the OTL reports

OTL logfile created on: 3/25/2010 7:55:22 PM - Run 3

OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 500 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS

Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32

Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ASUS

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - D:\Virus Malware removal\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\WINDOWS\system32\acs.exe (Atheros)

PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

========== Modules (SafeList) ==========

MOD - D:\Virus Malware removal\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)

========== Win32 Services (SafeList) ==========

SRV - (UPS) -- File not found

SRV - (ose) -- File not found

SRV - (odserv) -- File not found

SRV - (ClipSrv) -- File not found

SRV - (CiSvc) -- File not found

SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)

========== Driver Services (SafeList) ==========

DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found

O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]

O33 - MountPoints2\{27ce3bed-9350-11de-a6b0-0015af675024}\Shell\AutoRun\command - "" = D:\LinksysConnectPC.exe -- [2009/08/27 17:52:00 | 003,993,088 | ---- | M] (Linksys, a Division of Cisco Systems, Inc.)

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/25 19:45:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe

[2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe

[2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe

[2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx

[2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer

[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll

[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe

[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll

[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip

[2010/03/14 15:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\New Folder

[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers

[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera

[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff

[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools

[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8

[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware

[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files

[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable

[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6

[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild

[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer

[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us

[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies

[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe

[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll

[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll

[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos

[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll

[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly

[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET

[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll

[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll

[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys

[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys

[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax

[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll

[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys

[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010

[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg

[2010/03/22 08:12:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/22 08:12:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/03/20 22:06:05 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/03/20 22:06:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/03/20 06:11:04 | 005,880,278 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com

[2010/03/16 21:38:38 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/03/16 21:38:38 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 13:25:27 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk

[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI

[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

========== Files Created - No Company Name ==========

[2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg

[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com

[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe

[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe

[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll

[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll

[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll

[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll

[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll

< End of report >

====================OTL Extras logfile created on: 3/25/2010 7:55:22 PM - Run 3

OTL by OldTimer - Version 3.1.37.3 Folder = D:\Virus Malware removal

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 376.00 Mb Available Physical Memory | 75.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free

Paging file location(s): C:\pagefile.sys 500 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 3.72 Gb Total Space | 1.03 Gb Free Space | 27.84% Space Free | Partition Type: NTFS

Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.22% Space Free | Partition Type: FAT32

Drive E: | 1.85 Gb Total Space | 0.98 Gb Free Space | 53.24% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ASUS

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = Opera.HTML] -- E:\Program Files\OPERA BROWSER\opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "E:\Office12\msohtmed.exe" %1 File not found

htmlfile [open] -- Reg Error: Key error.

htmlfile [opennew] -- Reg Error: Key error.

htmlfile [print] -- "E:\Office12\msohtmed.exe" /p %1 File not found

http [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)

https [open] -- "E:\Program Files\OPERA BROWSER\opera.exe" (Opera Software)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "D:\Program Files\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" File not found

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- Reg Error: Key error.

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

"C:\Program Files\WinTV\WinTV7\WinTV7.exe" = C:\Program Files\WinTV\WinTV7\WinTV7.exe:*:Enabled:WinTV7 -- (Hauppauge Computer Works, Inc.)

"E:\Program Files\OPERA BROWSER\opera.exe" = E:\Program Files\OPERA BROWSER\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{063E409E-3D7C-4A4A-95AB-2F124B9224B3}" = ArcSoft PhotoImpression 6

"{0A755762-EED8-47AB-A446-505766F93D43}" = Atheros Communications Inc.® L2 Fast Ethernet Driver

"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java 6 Update 18

"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program

"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1

"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5

"{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{5A347920-4AFC-11D5-9FB0-800649886934}" = SDFormatter

"{6B566EFE-DC1D-471F-93DD-84832663F140}" = OVT Scanner X86

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"7-Zip" = 7-Zip 4.65

"Adobe Acrobat 5.0" = Adobe Acrobat 5.0

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Photoshop 7.0" = Adobe Photoshop 7.0

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"Audacity_is1" = Audacity 1.2.6

"CCleaner" = CCleaner

"Cool Edit Pro 2.1" = Cool Edit Pro 2.1

"Gadwin PrintScreen" = Gadwin PrintScreen

"Hauppauge WinTV 7" = Hauppauge WinTV 7

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 2.0.2

"Karen's Computer Profiler" = Karen's Computer Profiler

"Karen's Time Sync" = Karen's Time Sync

"Karen's WhoIs" = Karen's WhoIs

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5

"Nero - Burning Rom!UninstallKey" = Nero OEM

"OVT Scanner" = Uninstall OVT Scanner

"QuicktimeAlt_is1" = QuickTime Alternative 3.0.0

"RealAlt_is1" = Real Alternative 2.0.1

"ST6UNST #1" = Karen's Disk Slack Checker

"SUPER

post-36069-1269596531_thumb.jpg

post-36069-1269596558_thumb.jpg

Link to post
Share on other sites

Hi ionavideo,

I think I accidentally made a virtual drive. The first screenshot shows that bocomfx is a folder, but it has a drive icon instead of a folder

Please right click on the bocomfx icon and select properties and post a screen shot.

Now please try to access the Malwarebytes web site, if successful then please run Malwarebytes, update the definitions and run a quick scan then post the log back here.

If you still cannot access the site then please reboot and then run another OTL scan and post OTL.txt in your next reply.

Link to post
Share on other sites

Thanks, DL

I had actually tried running Malwarebytes earlier today before I read this. It thought bcomfx.sys was not good.

I still can't access malwarebytes web site.

Here is an OTL log that I just ran.

=====================

OTL logfile created on: 3/29/2010 5:49:37 PM - Run 4

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 300.00 Mb Available Physical Memory | 60.00% Memory free

974.00 Mb Paging File | 807.00 Mb Available in Paging File | 83.00% Paging File free

Paging file location(s): C:\pagefile.sys 500 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 3.72 Gb Total Space | 0.04 Gb Free Space | 1.10% Space Free | Partition Type: NTFS

Drive D: | 1.88 Gb Total Space | 1.47 Gb Free Space | 78.20% Space Free | Partition Type: FAT32

Drive E: | 1.85 Gb Total Space | 0.96 Gb Free Space | 52.23% Space Free | Partition Type: FAT

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: ASUS

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

PRC - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)

PRC - E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

PRC - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

PRC - C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

PRC - C:\WINDOWS\system32\acs.exe (Atheros)

PRC - E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff\OTL.exe (OldTimer Tools)

MOD - E:\Program Files\File Unlocker\Unlocker\UnlockerHook.dll ()

MOD - C:\WINDOWS\system32\DrvPatch.dll (WangYue@BLCU.EDU.CN)

========== Win32 Services (SafeList) ==========

SRV - (UPS) -- File not found

SRV - (ose) -- File not found

SRV - (odserv) -- File not found

SRV - (ClipSrv) -- File not found

SRV - (CiSvc) -- File not found

SRV - (HauppaugeTVServer) -- C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (Hauppauge Computer Works)

SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe (Atheros)

========== Driver Services (SafeList) ==========

DRV - (hcw72DTV) -- C:\WINDOWS\system32\drivers\hcw72DTV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ATV) -- C:\WINDOWS\system32\drivers\hcw72ATV.sys (Hauppauge Computer Works, Inc.)

DRV - (hcw72ADFilter) -- C:\WINDOWS\system32\drivers\hcw72ADFilter.sys (Hauppauge Computer Works, Inc.)

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (MPE) -- C:\WINDOWS\system32\drivers\MPE.sys (Microsoft Corporation)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)

DRV - (AtcL002) -- C:\WINDOWS\system32\drivers\l251x86.sys (Atheros Communications, Inc.)

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (WSIMD) -- C:\WINDOWS\system32\drivers\wsimd.sys (Atheros Communications, Inc.)

DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (APL531) -- C:\WINDOWS\system32\drivers\ov550i.sys (Omnivision Technologies, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-1844237615-838170752-515967899-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\adobe\Acrobat\ActiveX\AcroIEHelper.ocx File not found

O4 - HKLM..\Run: [ACU] C:\Program Files\Atheros\ACU.exe (Atheros Communications, Inc.)

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\AsTray.exe (WangYue@BLCU.EDU.CN)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [skyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [unlockerAssistant] E:\Program Files\File Unlocker\Unlocker\UnlockerAssistant.exe ()

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe (Gadwin Systems, Inc)

O4 - HKU\S-1-5-21-1844237615-838170752-515967899-500..\Run: [sUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Distillr\AcroTray.exe File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk = C:\Program Files\WinTV\WinTV7\WinTVTray.exe (Hauppauge Computer Works, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogoff = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O7 - HKU\S-1-5-21-1844237615-838170752-515967899-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll File not found

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - E:\Program Files\SASWINLO.dll - E:\Program Files\SASWINLO.dll File not found

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - E:\Program Files\SASSEH.DLL File not found

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/27 15:27:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/08/27 17:52:02 | 000,000,103 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/29 17:46:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent

[2010/03/23 15:06:21 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe

[2010/03/23 15:06:16 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nslookup.exe

[2010/03/23 15:06:10 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ipconfig.exe

[2010/03/22 08:26:08 | 000,000,000 | --SD | C] -- C:\bocomfx

[2010/03/20 15:30:48 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/03/18 13:15:49 | 000,056,816 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/14 20:16:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer

[2010/03/14 15:12:25 | 000,040,448 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll

[2010/03/14 15:08:32 | 000,047,104 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\AsTray.exe

[2010/03/14 15:08:29 | 000,011,264 | ---- | C] (WangYue@BLCU.EDU.CN) -- C:\WINDOWS\System32\DrvPatch.dll

[2010/03/14 15:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\7-Zip

[2010/03/14 14:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\EEEPC graphics drivers

[2010/03/14 14:34:22 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera

[2010/03/14 13:25:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Opera

[2010/03/14 12:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Anti-Malware stuff

[2010/03/14 11:49:18 | 000,000,000 | ---D | C] -- C:\MGtools

[2010/03/14 11:46:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/14 11:46:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/14 11:46:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/14 11:46:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/14 11:46:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/14 11:45:30 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/03/14 10:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com

[2010/03/14 10:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/03/14 10:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2010/03/14 10:42:46 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:46 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:46 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/14 10:42:11 | 000,000,000 | ---D | C] -- C:\Program Files\Java

[2010/03/13 06:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2010/03/12 20:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\AVG8

[2010/03/12 12:11:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\possible virus or malware

[2010/03/12 12:04:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\igfx Intel graphics driver files

[2010/03/12 11:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2010/03/12 11:29:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/03/12 11:29:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/03/12 11:29:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/03/10 21:23:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\ProjectX_Portable

[2010/03/10 21:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tsMuxeR_1.10.6

[2010/03/08 05:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild

[2010/03/08 05:27:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer

[2010/03/08 05:27:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us

[2010/03/08 05:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies

[2010/03/08 05:26:38 | 000,022,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spupdsvc.exe

[2010/03/08 05:26:38 | 000,014,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg2.dll

[2010/03/07 17:46:52 | 000,485,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\evr.dll

[2010/03/07 17:46:52 | 000,000,000 | ---D | C] -- C:\My Videos

[2010/03/07 17:46:31 | 000,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll

[2010/03/07 17:36:09 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly

[2010/03/07 17:35:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\v7 wintv

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHEALTH

[2010/03/07 17:34:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET

[2010/03/07 17:12:30 | 000,307,256 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll

[2010/03/07 17:12:30 | 000,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll

[2010/03/07 17:11:01 | 001,220,224 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72DTV.sys

[2010/03/07 17:10:55 | 000,028,928 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ADFilter.sys

[2010/03/07 17:10:36 | 000,095,744 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcpxx.ax

[2010/03/07 17:10:36 | 000,044,032 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcw72Co.dll

[2010/03/07 17:10:34 | 001,217,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\drivers\hcw72ATV.sys

[2010/03/07 13:58:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LitBirthdays March 2010

[2009/08/27 15:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/08/27 15:27:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 30 Days ==========

[2010/03/29 17:47:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/29 17:46:30 | 002,883,584 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/03/29 17:46:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/03/29 17:46:24 | 005,881,500 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2010/03/29 17:38:59 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/29 15:04:17 | 000,000,430 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/27 16:33:43 | 000,000,558 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/03/27 16:33:43 | 000,000,270 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/25 19:47:18 | 000,042,612 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg

[2010/03/20 22:41:27 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/03/20 03:14:51 | 000,056,816 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys

[2010/03/18 13:43:09 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 12:44:22 | 000,525,824 | ---- | M] () -- C:\dds.com

[2010/03/16 21:38:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2010/03/16 07:14:07 | 000,004,972 | ---- | M] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:05:42 | 000,939,956 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 10:45:01 | 000,000,558 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk

[2010/03/14 10:42:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll

[2010/03/14 10:42:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe

[2010/03/14 10:42:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

[2010/03/14 10:42:17 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl

[2010/03/08 13:42:20 | 000,041,568 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/03/08 13:41:59 | 000,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/03/08 13:36:31 | 000,399,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/03/08 13:36:30 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/03/08 13:36:30 | 000,058,458 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/03/07 18:10:52 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI

[2010/03/07 18:10:52 | 000,000,483 | ---- | M] () -- C:\WINDOWS\ODBC.INI

[2010/03/07 18:09:09 | 000,003,536 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 17:52:17 | 000,000,769 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 16:32:46 | 000,000,425 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

========== Files Created - No Company Name ==========

[2010/03/25 19:47:16 | 000,042,612 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\3rd ref backup cc_20100325_194645.reg

[2010/03/18 13:43:09 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable

[2010/03/18 13:25:37 | 000,525,824 | ---- | C] () -- C:\dds.com

[2010/03/14 15:08:32 | 000,004,972 | ---- | C] () -- C:\WINDOWS\System32\AsTray.ini

[2010/03/14 15:08:28 | 000,125,952 | ---- | C] () -- C:\WINDOWS\System32\igxpun.exe

[2010/03/14 15:05:41 | 000,939,956 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\7z465.exe

[2010/03/14 13:25:27 | 000,000,430 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk

[2010/03/14 11:46:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/14 11:46:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/14 11:46:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/14 11:46:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/14 11:46:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/08 05:29:15 | 000,114,400 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

[2010/03/07 17:52:17 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinTV Recording Status..lnk

[2010/03/07 17:52:17 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV 7.lnk

[2010/03/07 17:48:54 | 000,142,337 | ---- | C] () -- C:\WINDOWS\System32\Wait.exe

[2010/03/07 17:12:02 | 000,003,536 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI

[2010/03/07 16:32:46 | 000,000,425 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Install WinTV 7 CD 1.3a.lnk

[2009/12/13 20:48:42 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/10/14 15:56:22 | 000,399,360 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll

[2009/10/14 15:17:51 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll

[2009/10/11 19:35:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\dmcrypto.dll

[2009/10/11 19:22:03 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll

[2009/09/07 10:53:12 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/09/06 14:59:41 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll

[2009/09/02 09:43:25 | 000,000,483 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/08/29 16:58:57 | 000,016,773 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2009/08/28 10:00:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2009/08/27 16:18:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll

< End of report >

=====================

and the jpg is attached.

Please right click on the bocomfx icon and select properties and post a screen shot.

Now please try to access the Malwarebytes web site, if successful then please run Malwarebytes, update the definitions and run a quick scan then post the log back here.

If you still cannot access the site then please reboot and then run another OTL scan and post OTL.txt in your next reply.

post-36069-1269903789_thumb.jpg

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.