Jump to content

Laptop wont start after running MB


Recommended Posts

Hi, last night i realised that my girlfriends laptop was infected with the malware doctor program. I downloaded MB and ran it, after updating it. It picked up numerous infections, which I then asked it to fix. It said it got rid of those, but some would need to be removed on restart.

I then restarted it and since then the laptop wont boot up.

It is a toshiba satellite, running windows XP. I have read through numerous pages on here and it seems to be consistent with the atapi issues that everyone else has got. I cannot boot, I cannot even boot in safe mode.

I have tried running the windows repair (after booting from a CD), I select the OS that I want (option 1 - it only has one OS installed) and have then hit enter for the administrators password (hasn't got one) but then nothing happens, the command prompt just comes up and I don't know what to do.

So i found one of the replies from Kahdah which suggested the following:

"Download RC.ISO and burn it to a cd as an ISO image. You may need a burning toy like ISO Recorder to do this...be sure to get the version for your operating system.

Once you have burned this as an ISO image, insert the CD into the drive, and then restart the computer.

Since this is a dell pc then the boot from disk would be to press F12 during the bios splash screen to boot from another device.

Watch for the prompt to "Press any key to boot from cd" and press the spacebar when you see it.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console...by number (usually 1)

When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".

At the Recovery Console command prompt, type expand D:\I386\atapi.SY_ C:\Windows\system32\drivers\ /y then press Enter.

At the next prompt, type the following bolded text, and press Enter:

exit

============

Take the disk out of the drive and see if it get's into Windows then "

That created two issues, firstly it wouldn't get into the repair option if the rc.iso disk was in the drive. However I got round that by getting into repair with the windows cd but then swapping the disks over when it was loading up into the repair section. That worked, but when I typed in the "expand D:\......." command it says location not found.

I have tried the fixmbr command in windows repair, but that hasn't worked either, so thought I'd post here first before trying anything else.

The missus is having a serious strop about the laptop not working - so any help would be really, really appreciated!!

Cheers

Brucey

Link to post
Share on other sites

Hello brucey_bluenose

Welcome to Malwarebytes.

=====================

Rc.iso is only the recovery console by itself it is not an installation cd.

Where does the computer stop at?

Is it a blue screen?

If so please post the information that it produces.

If it doesn't produce a blue screen then do the following to get it to show up.

Restart the computer and continually tap the F8 key until you see some bootup option's.

Choose the one that says Disable automatic restart on system failure then hit enter.

Then post what it says please.

Link to post
Share on other sites

Hi Kahdah, thanks very much for taking the time to reply.

The laptop doesn't even get to the blue screen, it starts to fire up, gives me the set up and multiboot options and then just stops on a black screen, so I don't even get a blue screen or error message. The HDD light also stops flashing.

I've just disabled automatic restart on system failure and still nothing comes up, still the same black screen.

I can get into the F2 set up, I can get into the F12 multiboot options - and as mentioned above, I can get it to boot to the windows set up from an installation CD, so I don't think it's not a PSU issue.

Also, I did manage to get the rco.iso to extract last night (my apologies I'd missed out a space in the command string), It extracted ok, but still hasn't made any difference.

Last known good configuration hasn't worked and neither has safe mode, where fifteen "system32" files list on the screen (ending in windows\system32\drivers\isapnp.sys), but then it stops. Apologies if that's irrelevant information.

Any ideas?

Thanks again.

Brucey

Link to post
Share on other sites

Please print these instruction out so that you know what you are doing

Please do this......

  • Download OTLPE Network from either location and save it to your desktop:
    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click imgbrn.png to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90


  • Push runscanbutton.png
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Link to post
Share on other sites

Hi Khahdah,

The OLT output is as follows:

OTL logfile created on: 6/5/2010 9:19:36 AM - Run

OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

222.00 Mb Total Physical Memory | 52.00 Mb Available Physical Memory | 23.00% Memory free

190.00 Mb Paging File | 68.00 Mb Available in Paging File | 36.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 22.00 Gb Free Space | 59.04% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 238.38 Mb Total Space | 238.36 Mb Free Space | 99.99% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2007/04/14 07:55:57 | 000,640,600 | ---- | M] (PC Tools Research Pty Ltd) [Disabled] -- C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe -- (PCTAVSvc)

SRV - [2006/12/07 11:45:22 | 000,504,424 | ---- | M] () [Disabled] -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe -- (ioloDMV)

SRV - [2006/08/07 10:39:36 | 002,007,040 | ---- | M] (Kontiki Inc.) [Disabled] -- C:\Program Files\KService\KService.exe -- (KService)

SRV - [2005/11/13 21:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/07/07 19:13:14 | 000,036,864 | ---- | M] () [Disabled] -- C:\WINDOWS\system32\acs.exe -- (ACS)

SRV - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Disabled] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)

SRV - [2004/09/29 08:14:36 | 000,069,632 | ---- | M] (HP) [Disabled] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | Auto] -- -- (mdmxsdk)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2010/05/30 18:15:39 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\kxvzvq.sys -- (kxvzvq)

DRV - [2010/05/30 18:14:15 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\lbug.sys -- (yppd)

DRV - [2007/07/29 14:27:18 | 000,015,872 | ---- | M] (PC Tools Research Pty Ltd) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\AVFilter.sys -- (AVFilter)

DRV - [2007/03/15 15:52:00 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2006/11/24 07:31:02 | 000,022,528 | ---- | M] (PC Tools Research Pty Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AVHook.sys -- (AVHook)

DRV - [2006/11/24 07:31:02 | 000,015,872 | ---- | M] (PC Tools Research Pty Ltd ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AVRec.sys -- (AVRec)

DRV - [2006/07/24 12:05:00 | 000,005,632 | ---- | M] () [File_System | System] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)

DRV - [2006/03/27 13:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)

DRV - [2006/01/12 12:21:18 | 000,031,872 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\qkbfiltr.sys -- (qkbfiltr)

DRV - [2005/12/16 19:15:06 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)

DRV - [2005/12/12 01:40:44 | 001,414,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/10/06 01:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2005/10/06 01:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2005/10/06 01:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2005/10/06 01:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2005/10/06 01:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2005/10/06 01:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2005/10/06 01:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)

DRV - [2005/09/12 22:08:30 | 000,468,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)

DRV - [2005/09/11 23:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2005/08/25 08:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2005/08/25 08:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)

DRV - [2005/08/12 01:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2005/06/17 03:17:48 | 000,352,000 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)

DRV - [2005/06/17 03:17:00 | 000,038,144 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)

DRV - [2005/06/11 00:42:00 | 000,005,504 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BoiHwSetup.sys -- (BoiHwsetup)

DRV - [2005/05/05 10:27:38 | 000,007,936 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\qmofiltr.sys -- (qmofiltr)

DRV - [2005/03/04 14:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2004/08/04 09:00:00 | 000,036,352 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\disk.sys -- (Disk)

DRV - [2004/08/03 19:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/11/08 19:10:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 11:56:12 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 11:56:12 | 000,000,000 | ---D | M]

[2009/03/01 15:14:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/11/20 12:52:00 | 002,884,992 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

[2010/02/21 15:06:03 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/02/21 15:06:03 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/02/21 15:06:03 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/02/21 15:06:04 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 09:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (C:\WINDOWS\system32\m9wmvhas.dll) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - C:\WINDOWS\system32\m9wmvhas.dll ()

O3 - HKU\natalie_bull_ON_C\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.

O3 - HKU\natalie_bull_ON_C\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKU\natalie_bull_ON_C..\Run: [{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69}] C:\Documents and Settings\natalie bull\Application Data\Xuawu\qyub.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [{EEA72E68-DD13-5DD7-E559-2A04CA48CA92}] C:\Documents and Settings\natalie bull\Application Data\Vabih\ukri.exe (Fucyta)

O4 - HKU\natalie_bull_ON_C..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\natalie bull\Local Settings\Temp\bmdod.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\natalie bull\Local Settings\Temp\winlogon.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [mcexecwin] C:\Documents and Settings\natalie bull\Local Settings\Temp\pde18szz.dll ()

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll (Sun Microsystems, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)

O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O20 - AppInit_DLLs: (C:\WINDOWS\system32\ipsmsnap32.dll) - C:\WINDOWS\system32\ipsmsnap32.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\WINDOWS\System32\RtlGina2.dll ()

O20 - Winlogon\Notify\387450e0922: DllName - C:\WINDOWS\system32\ipsmsnap32.dll - C:\WINDOWS\system32\ipsmsnap32.dll ()

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O22 - SharedTaskScheduler: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - har98fefiesjfs93s8i9sejsdf - C:\WINDOWS\system32\m9wmvhas.dll ()

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/02/13 06:36:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\natalie bull\Application Data\iolo\) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2000/01/01 03:17:23 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/05/30 18:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/30 18:15:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/30 17:51:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\Malwarebytes

[2010/05/30 17:51:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/30 17:51:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/30 17:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/30 17:50:25 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\natalie bull\Desktop\mbam-setup-1.46.exe

[2010/05/30 16:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\$NtUninstallWTF1012$

[2010/05/30 16:55:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4

[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/30 18:15:44 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2010/05/30 18:15:44 | 000,225,280 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2010/05/30 18:15:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/30 18:15:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\kxvzvq.sys

[2010/05/30 18:15:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/30 18:15:20 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\natalie bull\ntuser.dat

[2010/05/30 18:15:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\natalie bull\ntuser.ini

[2010/05/30 18:14:15 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\lbug.sys

[2010/05/30 17:50:26 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\natalie bull\Desktop\mbam-setup-1.46.exe

[2010/05/30 17:49:21 | 000,000,306 | -H-- | M] () -- C:\WINDOWS\tasks\MSWD-a1a8c762.job

[2010/05/30 17:45:37 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922P.manifest

[2010/05/30 17:45:37 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922C.manifest

[2010/05/30 17:45:37 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922S.manifest

[2010/05/30 17:45:37 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922O.manifest

[2010/05/30 17:43:36 | 233,099,264 | -HS- | M] () -- C:\hiberfil.sys

[2010/05/30 17:29:45 | 000,001,075 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/30 17:29:45 | 000,000,327 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/30 17:29:45 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2010/05/30 16:56:55 | 000,182,272 | ---- | M] () -- C:\WINDOWS\System32\ipsmsnap32.dll

[2010/05/30 16:55:44 | 000,124,928 | ---- | M] () -- C:\WINDOWS\Cjolua.exe

[2010/05/30 16:55:32 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\m9wmvhas.dll

[2010/05/30 08:31:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/11 13:49:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/30 18:14:15 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\lbug.sys

[2010/05/30 17:43:36 | 233,099,264 | -HS- | C] () -- C:\hiberfil.sys

[2010/05/30 16:57:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\kxvzvq.sys

[2010/05/30 16:57:29 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922S.manifest

[2010/05/30 16:57:28 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922C.manifest

[2010/05/30 16:57:28 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922O.manifest

[2010/05/30 16:57:27 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922P.manifest

[2010/05/30 16:57:21 | 000,124,928 | ---- | C] () -- C:\WINDOWS\Cjolua.exe

[2010/05/30 16:56:55 | 000,182,272 | ---- | C] () -- C:\WINDOWS\System32\ipsmsnap32.dll

[2010/05/30 16:56:44 | 000,000,306 | -H-- | C] () -- C:\WINDOWS\tasks\MSWD-a1a8c762.job

[2010/05/30 16:55:32 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\m9wmvhas.dll

[2009/08/15 07:10:05 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

[2009/08/15 07:10:01 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2009/08/15 07:09:24 | 000,422,504 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll

[2008/11/30 14:05:28 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys

[2007/12/26 12:59:54 | 000,000,308 | ---- | C] () -- C:\Documents and Settings\natalie bull\results.txt

[2007/01/26 16:44:28 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\natalie bull\Local Settings\Application Data\fusioncache.dat

[2006/11/25 16:18:26 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2006/11/25 16:18:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2006/11/25 15:27:07 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\natalie bull\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/11/04 13:31:42 | 000,002,735 | ---- | C] () -- C:\WINDOWS\DevMgr.ini

[2006/11/04 13:23:59 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI

[2006/11/04 12:01:53 | 000,001,188 | ---- | C] () -- C:\Documents and Settings\natalie bull\Application Data\wklnhst.dat

[2006/10/14 09:55:38 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\natalie bull\ntuser.ini

[2006/10/14 09:55:37 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\natalie bull\ntuser.dat

[2006/10/14 09:55:37 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\natalie bull\ntuser.dat.LOG

[2006/05/03 13:44:32 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll

[2006/02/13 08:40:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/02/13 08:10:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/02/13 07:55:36 | 000,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/02/13 07:49:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI

[2006/02/13 07:45:25 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini

[2006/02/13 07:45:25 | 000,002,036 | R--- | C] () -- C:\WINDOWS\SVPW32Str.ini

[2006/02/13 07:39:26 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini

[2006/02/13 07:39:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll

[2006/02/13 07:39:26 | 000,009,362 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini

[2006/02/13 07:39:26 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini

[2006/02/13 06:40:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2006/02/13 06:39:50 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini

[2006/02/13 06:39:49 | 000,229,376 | ---- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2006/02/13 06:39:49 | 000,061,440 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG

[2006/02/13 06:39:49 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini

[2006/02/13 06:39:48 | 000,225,280 | ---- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2006/02/13 06:39:48 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG

[2006/02/13 05:20:48 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll

[2006/02/13 05:20:48 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/01/26 13:03:32 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll

[2005/12/08 14:56:50 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll

[2005/11/28 23:33:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/03 18:59:56 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\disk.sys

[2002/11/23 14:48:16 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll

[1999/07/05 06:00:00 | 000,073,867 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll

========== LOP Check ==========

[2008/03/16 06:12:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo

[2010/05/30 16:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4

[2009/08/15 05:52:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\iolo

[2007/01/26 16:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Kontiki

[2010/05/30 17:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Qulaap

[2009/11/07 07:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Samsung

[2006/11/04 12:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Template

[2000/01/01 03:11:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\toshiba

[2009/10/30 00:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Vabih

[2010/05/30 17:47:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Vazoom

[2007/09/30 18:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Xuawu

[2010/05/30 17:49:21 | 000,000,306 | -H-- | M] () -- C:\WINDOWS\Tasks\MSWD-a1a8c762.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2001/09/28 10:25:02 | 000,000,024 | ---- | M] () -- C:\16102rkr.cat

[2001/09/28 10:25:02 | 000,000,024 | ---- | M] () -- C:\16102rwr.cat

[2001/09/28 10:25:02 | 000,000,024 | ---- | M] () -- C:\16112rkr.cat

[2001/09/28 09:38:30 | 000,000,024 | ---- | M] () -- C:\16112rkw.cat

[2001/09/28 10:25:02 | 000,000,024 | ---- | M] () -- C:\16112rwr.cat

[2001/09/28 09:38:28 | 000,000,024 | ---- | M] () -- C:\16112rww.cat

[2006/02/13 06:36:26 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2010/05/30 17:29:45 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2002/04/25 14:13:54 | 000,806,912 | ---- | M] (Conexant Systems Inc.) -- C:\CnxAdslC.cpl

[2002/05/02 04:08:40 | 000,722,308 | ---- | M] () -- C:\CnxAdslH.chm

[2002/03/11 12:00:14 | 000,225,280 | ---- | M] (Conexant Systems Inc.) -- C:\CnxAdslL.exe

[2001/10/03 09:08:10 | 000,118,784 | ---- | M] (Conexant Systems, Inc.) -- C:\CnxClsCo.dll

[2002/03/11 12:00:42 | 000,397,312 | ---- | M] (Conexant Systems Inc.) -- C:\CnxDslTb.exe

[2002/03/11 13:00:18 | 000,368,640 | ---- | M] (Conexant Systems Inc.) -- C:\CnxDslWz.dll

[2000/05/18 06:21:28 | 000,002,998 | ---- | M] () -- C:\CnxDunI.ico

[2002/03/11 12:00:06 | 000,151,552 | ---- | M] (Conexant Systems Inc.) -- C:\CnxHwIo.dll

[2001/10/03 09:12:24 | 000,118,784 | ---- | M] (Conexant Systems, Inc.) -- C:\CnxMfdCo.dll

[2002/03/11 11:58:06 | 000,043,521 | ---- | M] () -- C:\CnxTgF.hex

[2002/03/11 11:54:24 | 000,108,225 | ---- | M] (Conexant Systems Inc.) -- C:\CnxTgN.sys

[2002/03/11 11:52:06 | 000,430,687 | ---- | M] (Conexant Systems Inc.) -- C:\CnxTgP.sys

[2002/03/11 11:51:24 | 000,107,944 | ---- | M] (Conexant Systems Inc.) -- C:\CnxTgR.sys

[2002/03/11 12:00:38 | 000,204,800 | ---- | M] (Conexant Systems Inc.) -- C:\CnxUnist.exe

[2006/02/13 06:36:26 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2002/07/03 10:19:48 | 000,012,549 | ---- | M] () -- C:\Cxt1610R.inf

[2002/07/03 10:19:46 | 000,026,305 | ---- | M] () -- C:\Cxt1611C.inf

[2002/07/03 10:19:48 | 000,012,822 | ---- | M] () -- C:\Cxt1611R.inf

[2001/12/06 03:59:20 | 000,003,824 | ---- | M] () -- C:\CxtClsCo.inf

[2000/03/28 08:41:00 | 000,000,043 | ---- | M] () -- C:\DISK1

[2010/05/30 17:43:36 | 233,099,264 | -HS- | M] () -- C:\hiberfil.sys

[2006/02/13 06:36:26 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2006/02/13 06:36:26 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2009/06/14 10:28:37 | 000,071,168 | ---- | M] () -- C:\NATCV1.doc

[2004/08/04 09:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2004/08/04 09:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr

[2005/10/31 11:56:00 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe

[2006/03/31 13:52:26 | 000,000,176 | -H-- | M] () -- C:\SWSTAMP.TXT

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[2008/06/20 13:41:10 | 000,148,992 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll

[2010/03/11 08:38:52 | 006,067,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll

[2010/03/11 08:38:52 | 000,268,288 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll

[2004/08/04 09:00:00 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll

[2004/08/04 09:00:00 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll

[2004/08/04 09:00:00 | 000,023,040 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\psapi.dll

[2008/07/03 09:03:29 | 008,460,800 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll

[22 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2006/02/13 06:26:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2006/02/13 06:26:24 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2006/02/13 06:26:24 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

[2010/05/30 18:15:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system32\drivers\kxvzvq.sys

[2010/05/30 18:14:15 | 000,054,016 | ---- | M] () -- C:\WINDOWS\system32\drivers\lbug.sys

[2010/04/29 10:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

[2010/04/29 10:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

< End of report >

I look forward to hearing from you further. As ever, thanks so much for helping me out here.

Cheers

Brucey

Link to post
Share on other sites

You are welcome you have a nasty rootkit infection present it will take a few steps to remove the infections.

I need to first have OTLPE search for a replacement file.

Please post this log after it completes.

  • Double click on the OTLPE icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    %systemdrive%\disk.sy* /s /md5


  • Click the Run Scan button.
  • When the scan completes post the new C:\OTL.txt

Link to post
Share on other sites

Here you got pal, this is the result:

OTL logfile created on: 6/5/2010 5:04:24 PM - Run

OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

222.00 Mb Total Physical Memory | 55.00 Mb Available Physical Memory | 25.00% Memory free

190.00 Mb Paging File | 68.00 Mb Available in Paging File | 36.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 22.00 Gb Free Space | 59.04% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 238.38 Mb Total Space | 238.36 Mb Free Space | 99.99% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2007/04/14 07:55:57 | 000,640,600 | ---- | M] (PC Tools Research Pty Ltd) [Disabled] -- C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe -- (PCTAVSvc)

SRV - [2006/12/07 11:45:22 | 000,504,424 | ---- | M] () [Disabled] -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe -- (ioloDMV)

SRV - [2006/08/07 10:39:36 | 002,007,040 | ---- | M] (Kontiki Inc.) [Disabled] -- C:\Program Files\KService\KService.exe -- (KService)

SRV - [2005/11/13 21:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [Disabled] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

SRV - [2005/07/07 19:13:14 | 000,036,864 | ---- | M] () [Disabled] -- C:\WINDOWS\system32\acs.exe -- (ACS)

SRV - [2005/01/17 19:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Disabled] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)

SRV - [2004/09/29 08:14:36 | 000,069,632 | ---- | M] (HP) [Disabled] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | Auto] -- -- (mdmxsdk)

DRV - File not found [Kernel | System] -- -- (lbrtfdc)

DRV - File not found [Kernel | System] -- -- (i2omgmt)

DRV - File not found [Kernel | System] -- -- (Changer)

DRV - [2010/05/30 18:15:39 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\kxvzvq.sys -- (kxvzvq)

DRV - [2010/05/30 18:14:15 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\lbug.sys -- (yppd)

DRV - [2007/07/29 14:27:18 | 000,015,872 | ---- | M] (PC Tools Research Pty Ltd) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\AVFilter.sys -- (AVFilter)

DRV - [2007/03/15 15:52:00 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)

DRV - [2006/11/24 07:31:02 | 000,022,528 | ---- | M] (PC Tools Research Pty Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AVHook.sys -- (AVHook)

DRV - [2006/11/24 07:31:02 | 000,015,872 | ---- | M] (PC Tools Research Pty Ltd ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AVRec.sys -- (AVRec)

DRV - [2006/07/24 12:05:00 | 000,005,632 | ---- | M] () [File_System | System] -- C:\WINDOWS\system32\drivers\StarOpen.sys -- (StarOpen)

DRV - [2006/03/27 13:53:28 | 000,167,808 | ---- | M] (NETGEAR Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wg111v2.sys -- (RTLWUSB)

DRV - [2006/01/12 12:21:18 | 000,031,872 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\qkbfiltr.sys -- (qkbfiltr)

DRV - [2005/12/16 19:15:06 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)

DRV - [2005/12/12 01:40:44 | 001,414,656 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2005/10/06 01:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)

DRV - [2005/10/06 01:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)

DRV - [2005/10/06 01:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

DRV - [2005/10/06 01:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)

DRV - [2005/10/06 01:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)

DRV - [2005/10/06 01:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)

DRV - [2005/10/06 01:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)

DRV - [2005/09/12 22:08:30 | 000,468,736 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)

DRV - [2005/09/11 23:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB)

DRV - [2005/08/25 08:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)

DRV - [2005/08/25 08:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)

DRV - [2005/08/12 01:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)

DRV - [2005/06/17 03:17:48 | 000,352,000 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6hal.sys -- (CAMCHALA)

DRV - [2005/06/17 03:17:00 | 000,038,144 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\camc6aud.sys -- (CAMCAUD)

DRV - [2005/06/11 00:42:00 | 000,005,504 | ---- | M] (Quanta Computer Corp) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BoiHwSetup.sys -- (BoiHwsetup)

DRV - [2005/05/05 10:27:38 | 000,007,936 | ---- | M] (Quanta Computer, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\qmofiltr.sys -- (qmofiltr)

DRV - [2005/03/04 14:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)

DRV - [2004/08/04 09:00:00 | 000,036,352 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\disk.sys -- (Disk)

DRV - [2004/08/03 19:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2003/01/29 17:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/11/08 19:10:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 11:56:12 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 11:56:12 | 000,000,000 | ---D | M]

[2009/03/01 15:14:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2007/11/20 12:52:00 | 002,884,992 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

[2010/02/21 15:06:03 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/02/21 15:06:03 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/02/21 15:06:03 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/02/21 15:06:04 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 09:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (C:\WINDOWS\system32\m9wmvhas.dll) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - C:\WINDOWS\system32\m9wmvhas.dll ()

O3 - HKU\natalie_bull_ON_C\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.

O3 - HKU\natalie_bull_ON_C\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKU\natalie_bull_ON_C..\Run: [{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69}] C:\Documents and Settings\natalie bull\Application Data\Xuawu\qyub.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [{EEA72E68-DD13-5DD7-E559-2A04CA48CA92}] C:\Documents and Settings\natalie bull\Application Data\Vabih\ukri.exe (Fucyta)

O4 - HKU\natalie_bull_ON_C..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\natalie bull\Local Settings\Temp\bmdod.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\natalie bull\Local Settings\Temp\winlogon.exe ()

O4 - HKU\natalie_bull_ON_C..\Run: [mcexecwin] C:\Documents and Settings\natalie bull\Local Settings\Temp\pde18szz.dll ()

O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1

O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll (Sun Microsystems, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)

O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O20 - AppInit_DLLs: (C:\WINDOWS\system32\ipsmsnap32.dll) - C:\WINDOWS\system32\ipsmsnap32.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\WINDOWS\System32\RtlGina2.dll ()

O20 - Winlogon\Notify\387450e0922: DllName - C:\WINDOWS\system32\ipsmsnap32.dll - C:\WINDOWS\system32\ipsmsnap32.dll ()

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O22 - SharedTaskScheduler: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - har98fefiesjfs93s8i9sejsdf - C:\WINDOWS\system32\m9wmvhas.dll ()

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/02/13 06:36:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\natalie bull\Application Data\iolo\) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/30 18:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/30 18:15:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/30 17:51:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\Malwarebytes

[2010/05/30 17:51:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/30 17:51:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/30 17:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/30 17:50:25 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\natalie bull\Desktop\mbam-setup-1.46.exe

[2010/05/30 16:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\$NtUninstallWTF1012$

[2010/05/30 16:55:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4

[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/30 18:15:44 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2010/05/30 18:15:44 | 000,225,280 | ---- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2010/05/30 18:15:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/05/30 18:15:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\kxvzvq.sys

[2010/05/30 18:15:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/05/30 18:15:20 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\natalie bull\ntuser.dat

[2010/05/30 18:15:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\natalie bull\ntuser.ini

[2010/05/30 18:14:15 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\lbug.sys

[2010/05/30 17:50:26 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\natalie bull\Desktop\mbam-setup-1.46.exe

[2010/05/30 17:49:21 | 000,000,306 | -H-- | M] () -- C:\WINDOWS\tasks\MSWD-a1a8c762.job

[2010/05/30 17:45:37 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922P.manifest

[2010/05/30 17:45:37 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922C.manifest

[2010/05/30 17:45:37 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922S.manifest

[2010/05/30 17:45:37 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922O.manifest

[2010/05/30 17:43:36 | 233,099,264 | -HS- | M] () -- C:\hiberfil.sys

[2010/05/30 17:29:45 | 000,001,075 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/30 17:29:45 | 000,000,327 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/05/30 17:29:45 | 000,000,211 | RHS- | M] () -- C:\boot.ini

[2010/05/30 16:56:55 | 000,182,272 | ---- | M] () -- C:\WINDOWS\System32\ipsmsnap32.dll

[2010/05/30 16:55:44 | 000,124,928 | ---- | M] () -- C:\WINDOWS\Cjolua.exe

[2010/05/30 16:55:32 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\m9wmvhas.dll

[2010/05/30 08:31:06 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/05/11 13:49:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[22 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/30 18:14:15 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\lbug.sys

[2010/05/30 17:43:36 | 233,099,264 | -HS- | C] () -- C:\hiberfil.sys

[2010/05/30 16:57:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\kxvzvq.sys

[2010/05/30 16:57:29 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922S.manifest

[2010/05/30 16:57:28 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922C.manifest

[2010/05/30 16:57:28 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922O.manifest

[2010/05/30 16:57:27 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\natalie bull\Application Data\020000006ca1b2f9922P.manifest

[2010/05/30 16:57:21 | 000,124,928 | ---- | C] () -- C:\WINDOWS\Cjolua.exe

[2010/05/30 16:56:55 | 000,182,272 | ---- | C] () -- C:\WINDOWS\System32\ipsmsnap32.dll

[2010/05/30 16:56:44 | 000,000,306 | -H-- | C] () -- C:\WINDOWS\tasks\MSWD-a1a8c762.job

[2010/05/30 16:55:32 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\m9wmvhas.dll

[2009/08/15 07:10:05 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

[2009/08/15 07:10:01 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2009/08/15 07:09:24 | 000,422,504 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll

[2008/11/30 14:05:28 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys

[2007/12/26 12:59:54 | 000,000,308 | ---- | C] () -- C:\Documents and Settings\natalie bull\results.txt

[2007/01/26 16:44:28 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\natalie bull\Local Settings\Application Data\fusioncache.dat

[2006/11/25 16:18:26 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2006/11/25 16:18:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2006/11/25 15:27:07 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\natalie bull\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2006/11/04 13:31:42 | 000,002,735 | ---- | C] () -- C:\WINDOWS\DevMgr.ini

[2006/11/04 13:23:59 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI

[2006/11/04 12:01:53 | 000,001,188 | ---- | C] () -- C:\Documents and Settings\natalie bull\Application Data\wklnhst.dat

[2006/10/14 09:55:38 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\natalie bull\ntuser.ini

[2006/10/14 09:55:37 | 003,670,016 | -H-- | C] () -- C:\Documents and Settings\natalie bull\ntuser.dat

[2006/10/14 09:55:37 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\natalie bull\ntuser.dat.LOG

[2006/05/03 13:44:32 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll

[2006/02/13 08:40:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/02/13 08:10:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/02/13 07:55:36 | 000,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/02/13 07:49:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI

[2006/02/13 07:45:25 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini

[2006/02/13 07:45:25 | 000,002,036 | R--- | C] () -- C:\WINDOWS\SVPW32Str.ini

[2006/02/13 07:39:26 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini

[2006/02/13 07:39:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll

[2006/02/13 07:39:26 | 000,009,362 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini

[2006/02/13 07:39:26 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini

[2006/02/13 06:40:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2006/02/13 06:39:50 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini

[2006/02/13 06:39:49 | 000,229,376 | ---- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2006/02/13 06:39:49 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\LocalService\ntuser.dat.LOG

[2006/02/13 06:39:49 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini

[2006/02/13 06:39:48 | 000,225,280 | ---- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2006/02/13 06:39:48 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG

[2006/02/13 05:20:48 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll

[2006/02/13 05:20:48 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/01/26 13:03:32 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll

[2005/12/08 14:56:50 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll

[2005/11/28 23:33:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/03 18:59:56 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\disk.sys

[2002/11/23 14:48:16 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll

[1999/07/05 06:00:00 | 000,073,867 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll

========== LOP Check ==========

[2008/03/16 06:12:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo

[2010/05/30 16:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4

[2009/08/15 05:52:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\iolo

[2007/01/26 16:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Kontiki

[2010/05/30 17:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Qulaap

[2009/11/07 07:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Samsung

[2006/11/04 12:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Template

[2000/01/01 03:11:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\toshiba

[2009/10/30 00:02:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Vabih

[2010/05/30 17:47:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Vazoom

[2007/09/30 18:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Xuawu

[2010/05/30 17:49:21 | 000,000,306 | -H-- | M] () -- C:\WINDOWS\Tasks\MSWD-a1a8c762.job

========== Purity Check ==========

========== Custom Scans ==========

< %systemdrive%\disk.sy* /s /md5 >

[2004/08/04 09:00:00 | 000,019,989 | ---- | M] () MD5=749693D182E0697697C5943DA81DA0E0 -- C:\I386\DISK.SY_

[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys

[2004/08/04 09:00:00 | 000,036,352 | ---- | M] () MD5=AF3B54C628609FE5EAF6B0280A379AE7 -- C:\WINDOWS\system32\drivers\disk.sys

< End of report >

Cheers

Link to post
Share on other sites

Run OTLPE

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    DRV - [2010/05/30 18:15:39 | 000,000,000 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\kxvzvq.sys -- (kxvzvq)
    DRV - [2010/05/30 18:14:15 | 000,054,016 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\lbug.sys -- (yppd)
    O2 - BHO: (C:\WINDOWS\system32\m9wmvhas.dll) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - C:\WINDOWS\system32\m9wmvhas.dll ()
    O3 - HKU\natalie_bull_ON_C\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKU\natalie_bull_ON_C\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O4 - HKU\natalie_bull_ON_C..\Run: [{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69}] C:\Documents and Settings\natalie bull\Application Data\Xuawu\qyub.exe ()
    O4 - HKU\natalie_bull_ON_C..\Run: [{EEA72E68-DD13-5DD7-E559-2A04CA48CA92}] C:\Documents and Settings\natalie bull\Application Data\Vabih\ukri.exe (Fucyta)
    O4 - HKU\natalie_bull_ON_C..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\natalie bull\Local Settings\Temp\bmdod.exe ()
    O4 - HKU\natalie_bull_ON_C..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\natalie bull\Local Settings\Temp\winlogon.exe ()
    O4 - HKU\natalie_bull_ON_C..\Run: [mcexecwin] C:\Documents and Settings\natalie bull\Local Settings\Temp\pde18szz.dll ()
    O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
    O7 - HKU\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\ipsmsnap32.dll) - C:\WINDOWS\system32\ipsmsnap32.dll ()
    O20 - Winlogon\Notify\387450e0922: DllName - C:\WINDOWS\system32\ipsmsnap32.dll - C:\WINDOWS\system32\ipsmsnap32.dll ()
    O22 - SharedTaskScheduler: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - har98fefiesjfs93s8i9sejsdf - C:\WINDOWS\system32\m9wmvhas.dll ()
    [2010/05/30 16:55:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4
    [2010/05/30 16:55:44 | 000,124,928 | ---- | M] () -- C:\WINDOWS\Cjolua.exe


    :Files
    C:\Documents and Settings\natalie bull\Application Data\Xuawu
    C:\Documents and Settings\natalie bull\Application Data\Vabih
    C:\WINDOWS\system32\drivers\disk.sys|C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys /replace

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

===============

See if you can then get into normal Windows.

If you can then do the following:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Ok, ran the fix and it gave me this log file.

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kxvzvq deleted successfully.

C:\WINDOWS\system32\drivers\kxvzvq.sys moved successfully.

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yppd deleted successfully.

C:\WINDOWS\system32\drivers\lbug.sys moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7BA40A1-74F2-52BD-F411-04B15A2C8953}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7BA40A1-74F2-52BD-F411-04B15A2C8953}\ deleted successfully.

C:\WINDOWS\system32\m9wmvhas.dll moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69}\ not found.

C:\Documents and Settings\natalie bull\Application Data\Xuawu\qyub.exe moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\{EEA72E68-DD13-5DD7-E559-2A04CA48CA92} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEA72E68-DD13-5DD7-E559-2A04CA48CA92}\ not found.

C:\Documents and Settings\natalie bull\Application Data\Vabih\ukri.exe moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\hsfe8owijfisjhgs7ye39gjsoighsd7y3eu deleted successfully.

C:\Documents and Settings\natalie bull\Local Settings\Temp\bmdod.exe moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\hsfg9w8gujsokgahi8gysgnsdgefshyjy deleted successfully.

C:\Documents and Settings\natalie bull\Local Settings\Temp\winlogon.exe moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\mcexecwin deleted successfully.

C:\Documents and Settings\natalie bull\Local Settings\Temp\pde18szz.dll moved successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.

Registry value HKEY_USERS\natalie_bull_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\ipsmsnap32.dll deleted successfully.

C:\WINDOWS\system32\ipsmsnap32.dll moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\387450e0922\ deleted successfully.

File C:\WINDOWS\system32\ipsmsnap32.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{C7BA40A1-74F2-52BD-F411-04B15A2C8953} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C7BA40A1-74F2-52BD-F411-04B15A2C8953}\ not found.

File C:\WINDOWS\system32\m9wmvhas.dll not found.

C:\Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4 folder moved successfully.

C:\WINDOWS\Cjolua.exe moved successfully.

========== FILES ==========

C:\Documents and Settings\natalie bull\Application Data\Xuawu folder moved successfully.

C:\Documents and Settings\natalie bull\Application Data\Vabih folder moved successfully.

File C:\WINDOWS\system32\drivers\disk.sys successfully replaced with C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 65536 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: natalie bull

->Temp folder emptied: 15939045 bytes

->Temporary Internet Files folder emptied: 48285997 bytes

->Java cache emptied: 11743740 bytes

->FireFox cache emptied: 45309623 bytes

->Flash cache emptied: 1969060 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1361371 bytes

->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 18296337 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 395507 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23950170 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 160.00 mb

OTLPE by OldTimer - Version 3.1.39.0 log created on 06052010_175032

I've now managed to boot the laptop up to normal windows and have put combofix on. I've tried to run it, but it's saying that PC Tools Antivirus is running and that i need to disable it - but I can't find PC Tools Anti Virus to disable. Its not in the system tray and not in task manager. I've just tried to start the program manually and it says it's got an error and that I need to reboot. I've managed to disable windows firewall through security centre, but can't diable PCTools AV.

Any ideas?

Link to post
Share on other sites

OK, here's the combofix text file

ComboFix 10-06-03.01 - natalie bull 05/06/2010 21:03:17.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.222.59 [GMT 1:00]

Running from: c:\documents and settings\natalie bull\Desktop\ComboFix.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\natalie bull\Application Data\020000006ca1b2f9922C.manifest

c:\documents and settings\natalie bull\Application Data\020000006ca1b2f9922O.manifest

c:\documents and settings\natalie bull\Application Data\020000006ca1b2f9922P.manifest

c:\documents and settings\natalie bull\Application Data\020000006ca1b2f9922S.manifest

c:\documents and settings\natalie bull\Start Menu\Programs\Antimalware Doctor

c:\documents and settings\natalie bull\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk

c:\documents and settings\natalie bull\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

.

((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))

.

2010-06-05 21:50 . 2010-06-05 21:50 -------- d-----w- C:\_OTL

2010-05-31 19:09 . 2001-08-17 13:51 86656 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Malwarebytes

2010-05-30 21:51 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-30 21:51 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-30 20:59 . 2010-05-30 20:59 -------- d-----w- c:\program files\$NtUninstallWTF1012$

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 19:56 . 2007-02-08 20:12 -------- d-----w- c:\program files\PC Tools AntiVirus

2010-05-30 21:47 . 2007-07-20 07:28 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Vazoom

2010-05-30 21:13 . 2007-08-10 19:33 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Qulaap

2010-04-22 18:25 . 2007-04-14 12:02 -------- d-----w- c:\documents and settings\natalie bull\Application Data\OpenOffice.org2

2010-03-11 12:38 . 2006-02-13 09:20 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-02-13 09:20 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-02-13 09:19 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-02-13 09:20 430080 ----a-w- c:\windows\system32\vbscript.dll

2004-08-04 13:00 . 2006-02-13 09:20 94784 --sh--w- c:\windows\twain.dll

2004-08-04 13:00 . 2006-02-13 09:20 50688 --sh--w- c:\windows\twain_32.dll

2004-08-04 13:00 . 2006-02-13 09:20 1028096 --sh--w- c:\windows\system32\mfc42.dll

2004-08-04 13:00 . 2006-02-13 09:20 54784 --sh--w- c:\windows\system32\msvcirt.dll

2004-08-04 13:00 . 2006-02-13 09:20 413696 --sh--w- c:\windows\system32\msvcp60.dll

2004-08-04 13:00 . 2006-02-13 09:20 343040 --sh--w- c:\windows\system32\msvcrt.dll

2007-12-04 18:38 . 2006-02-13 09:20 550912 --sh--w- c:\windows\system32\oleaut32.dll

2004-08-04 13:00 . 2006-02-13 09:20 83456 --sh--w- c:\windows\system32\olepro32.dll

2004-08-04 13:00 . 2006-02-13 09:20 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[-] 2001-08-17 . A64013E98426E1877CB653685C5C0009 . 86656 . . [5.1.2600.0] . . c:\windows\system32\drivers\atapi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\natalie bull\Application Data\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk

backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^natalie bull^Start Menu^Programs^Startup^Antimalware Doctor.lnk]

path=c:\documents and settings\natalie bull\Start Menu\Programs\Startup\Antimalware Doctor.lnk

backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^natalie bull^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-12-11 21:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-10-06 05:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2004-09-13 15:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]

2006-08-07 14:39 2236416 ----a-w- c:\windows\kdx\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

2006-12-07 15:46 562792 ----a-w- c:\program files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-04-14 11:58 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2005-12-16 23:32 761945 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-11-08 23:08 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]

2006-01-28 04:13 1589248 ----a-w- c:\program files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

2006-02-08 15:02 266240 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 16:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ioloDMV"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"PCTAVSvc"=2 (0x2)

"KService"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"CFSvcs"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\kdx\\KHost.exe"=

"c:\\Program Files\\KService\\KService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 18:53 167808]

.

Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\natalie bull\Application Data\Mozilla\Firefox\Profiles\lhm4dgxl.default\

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-gotnewupdate000 - c:\documents and settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4\gotnewupdate000.exe

MSConfigStartUp-hsfe8owijfisjhgs7ye39gjsoighsd7y3eu - c:\docume~1\NATALI~1\LOCALS~1\Temp\bmdod.exe

MSConfigStartUp-hsfg9w8gujsokgahi8gysgnsdgefshyjy - c:\docume~1\NATALI~1\LOCALS~1\Temp\cmd.exe

MSConfigStartUp-M5T8QL3YW3 - c:\docume~1\NATALI~1\LOCALS~1\Temp\Cqx.exe

MSConfigStartUp-mcexecwin - c:\docume~1\NATALI~1\LOCALS~1\Temp\pde18szz.dll

MSConfigStartUp-NDSTray - NDSTray.exe

MSConfigStartUp-net - c:\windows\system32\net.net

MSConfigStartUp-PCTAVApp - c:\program files\PC Tools AntiVirus\PCTAV.exe

MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

MSConfigStartUp-skb - jaacozjc.dll

MSConfigStartUp-{7EEF1EB4-BEAE-7F06-9559-6BA9F5990C69} - c:\documents and settings\natalie bull\Application Data\Xuawu\qyub.exe

MSConfigStartUp-{EEA72E68-DD13-5DD7-E559-2A04CA48CA92} - c:\documents and settings\natalie bull\Application Data\Vabih\ukri.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-05 21:11

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3992784411-1333664599-4074949263-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)

c:\windows\system32\RtlGina2.dll

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-06-05 21:14:06

ComboFix-quarantined-files.txt 2010-06-05 20:14

Pre-Run: 23,911,084,032 bytes free

Post-Run: 23,875,321,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 745F0D197A352FBBCE938229D175576E

Link to post
Share on other sites

Pop the OTLPE disk back in and go to start then run then type in cmd then hit ok.

When the command prompt window comes up copy and paste the following in bold in the window that opened.

expand D:\I386\atapi.sy_ C:\atapi.sys then hit enter.

Then you can close out of it then.

After that go to C:\ and tell me if there is a file there named atapi.sys.

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

FCopy::
C:\Atapi.sys|c:\windows\system32\drivers\atapi.sys
C:\Atapi.sys|c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^natalie bull^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

File::
c:\documents and settings\natalie bull\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\windows\pss\Antimalware Doctor.lnk

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

OK, here's the log file.

ComboFix 10-06-03.01 - natalie bull 05/06/2010 22:13:36.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.222.88 [GMT 1:00]

Running from: c:\documents and settings\natalie bull\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\natalie bull\Desktop\CFScript.txt

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::

"c:\documents and settings\natalie bull\Start Menu\Programs\Startup\Antimalware Doctor.lnk"

"c:\windows\pss\Antimalware Doctor.lnk"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\atapi.sys --> c:\windows\system32\drivers\atapi.sys

c:\atapi.sys --> c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))

.

2010-06-05 21:50 . 2010-06-05 21:50 -------- d-----w- C:\_OTL

2010-06-05 20:58 . 2001-08-17 12:51 86656 ------w- C:\atapi.sys

2010-05-31 19:09 . 2004-08-03 21:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys

2010-05-31 19:09 . 2004-08-03 21:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Malwarebytes

2010-05-30 21:51 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-30 21:51 . 2010-05-30 21:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-30 21:51 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-30 20:59 . 2010-05-30 20:59 -------- d-----w- c:\program files\$NtUninstallWTF1012$

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-05 19:56 . 2007-02-08 20:12 -------- d-----w- c:\program files\PC Tools AntiVirus

2010-05-30 21:47 . 2007-07-20 07:28 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Vazoom

2010-05-30 21:13 . 2007-08-10 19:33 -------- d-----w- c:\documents and settings\natalie bull\Application Data\Qulaap

2010-04-22 18:25 . 2007-04-14 12:02 -------- d-----w- c:\documents and settings\natalie bull\Application Data\OpenOffice.org2

2010-03-11 12:38 . 2006-02-13 09:20 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-02-13 09:20 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-02-13 09:19 17408 ----a-w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-02-13 09:20 430080 ----a-w- c:\windows\system32\vbscript.dll

2004-08-04 13:00 . 2006-02-13 09:20 94784 --sh--w- c:\windows\twain.dll

2004-08-04 13:00 . 2006-02-13 09:20 50688 --sh--w- c:\windows\twain_32.dll

2004-08-04 13:00 . 2006-02-13 09:20 1028096 --sh--w- c:\windows\system32\mfc42.dll

2004-08-04 13:00 . 2006-02-13 09:20 54784 --sh--w- c:\windows\system32\msvcirt.dll

2004-08-04 13:00 . 2006-02-13 09:20 413696 --sh--w- c:\windows\system32\msvcp60.dll

2007-12-04 18:38 . 2006-02-13 09:20 550912 --sh--w- c:\windows\system32\oleaut32.dll

2004-08-04 13:00 . 2006-02-13 09:20 83456 --sh--w- c:\windows\system32\olepro32.dll

2004-08-04 13:00 . 2006-02-13 09:20 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\documents and settings\natalie bull\Application Data\iolo\

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk

backup=c:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk

backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^natalie bull^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2005-12-11 21:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-10-06 05:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2004-09-13 15:49 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]

2006-08-07 14:39 2236416 ----a-w- c:\windows\kdx\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]

2006-12-07 15:46 562792 ----a-w- c:\program files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-04-14 11:58 77824 ----a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2005-12-16 23:32 761945 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2007-11-08 23:08 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]

2006-01-28 04:13 1589248 ----a-w- c:\program files\Toshiba\Windows Utilities\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]

2006-02-08 15:02 266240 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 16:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ioloDMV"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"PCTAVSvc"=2 (0x2)

"KService"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"CFSvcs"=2 (0x2)

"Bonjour Service"=2 (0x2)

"Ati HotKey Poller"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\kdx\\KHost.exe"=

"c:\\Program Files\\KService\\KService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [27/03/2006 18:53 167808]

.

Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\natalie bull\Application Data\Mozilla\Firefox\Profiles\lhm4dgxl.default\

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll

FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-05 22:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3992784411-1333664599-4074949263-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)

c:\windows\system32\RtlGina2.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1872)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-06-05 22:35:03 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-05 21:34

ComboFix2.txt 2010-06-05 20:14

Pre-Run: 23,876,534,272 bytes free

Post-Run: 23,841,292,288 bytes free

- - End Of File - - 7C7350621FF075767F3250E1704453E6

Link to post
Share on other sites

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Link to post
Share on other sites

Hi Kahdah,

Sorry it's taken so long to reply, the Kaspersky took hours and didn't finish until gone midnight. Reports are:

Malwarebytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

05/06/2010 23:14:28

mbam-log-2010-06-05 (23-14-28).txt

Scan type: Quick scan

Objects scanned: 115599

Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kaspersky

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, June 6, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, June 05, 2010 16:33:28

Records in database: 4202544

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

Scan statistics

Objects scanned 54285

Threats found 5

Infected objects found 5

Suspicious objects found 0

Scan duration 03:13:03

File name Threat Threats count

C:\_OTL\MovedFiles\06052010_175032\C_Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4\gotnewupdate000.exe Infected: Trojan-Dropper.Win32.FrauDrop.arh 1

C:\_OTL\MovedFiles\06052010_175032\C_Documents and Settings\natalie bull\Application Data\481715FC7BE3192DAF20CF28BFC9CAD4\hookdll.dll Infected: Trojan.Win32.FraudPack.apxl 1

C:\_OTL\MovedFiles\06052010_175032\C_Documents and Settings\natalie bull\Application Data\Vabih\ukri.exe Infected: Packed.Win32.Krap.ae 1

C:\_OTL\MovedFiles\06052010_175032\C_Documents and Settings\natalie bull\Application Data\Xuawu\qyub.exe Infected: Packed.Win32.Krap.gx 1

C:\_OTL\MovedFiles\06052010_175032\C_WINDOWS\system32\ipsmsnap32.dll Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.

I'm thinking the fact that Kaspersky found 5 threats isn't good?

Link to post
Share on other sites

I'm thinking the fact that Kaspersky found 5 threats isn't good?
No these are the first files I had you remove with OTLPE they are in quarantine folder that we will remove in a bit.

Nothing is present anymore.

How is the system running?

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

Ok (sorry for the delay in replying), system seems to be running fine. It was always pretty slow before, very slow actually and seems marginally faster now so all good!

OTL.TXT is

OTL logfile created on: 06/06/2010 19:30:58 - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\natalie bull\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

222.00 Mb Total Physical Memory | 59.00 Mb Available Physical Memory | 27.00% Memory free

545.00 Mb Paging File | 411.00 Mb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 22.10 Gb Free Space | 59.31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NATALIE

Current User Name: natalie bull

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\natalie bull\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\natalie bull\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\framedyn.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (ioloDMV) -- C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe ()

SRV - (KService) -- C:\Program Files\KService\KService.exe (Kontiki Inc.)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (Macrovision Corporation)

SRV - (ACS) -- C:\WINDOWS\system32\acs.exe ()

SRV - (CFSvcs) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe (TOSHIBA CORPORATION)

SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)

DRV - (StarOpen) -- C:\WINDOWS\system32\drivers\StarOpen.sys ()

DRV - (RTLWUSB) -- C:\WINDOWS\system32\drivers\wg111v2.sys (NETGEAR Inc.)

DRV - (qkbfiltr) -- C:\WINDOWS\system32\drivers\qkbfiltr.sys (Quanta Computer, Inc.)

DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)

DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)

DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)

DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)

DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)

DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)

DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)

DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)

DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)

DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)

DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)

DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)

DRV - (CAMCHALA) -- C:\WINDOWS\system32\drivers\camc6hal.sys (Conexant Systems Inc.)

DRV - (CAMCAUD) -- C:\WINDOWS\system32\drivers\camc6aud.sys (Conexant Systems Inc.)

DRV - (BoiHwsetup) -- C:\WINDOWS\system32\drivers\BoiHwSetup.sys (Quanta Computer Corp)

DRV - (qmofiltr) -- C:\WINDOWS\system32\drivers\qmofiltr.sys (Quanta Computer, Inc.)

DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )

DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)

DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)

DRV - (Netdevio) -- C:\WINDOWS\system32\drivers\Netdevio.sys (TOSHIBA Corporation.)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.19

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/11/09 00:10:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/08 21:41:06 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 16:56:12 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/04 16:56:12 | 000,000,000 | ---D | M]

[2009/03/01 20:14:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Mozilla\Extensions

[2009/03/01 20:14:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\natalie bull\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2010/05/30 13:44:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Mozilla\Firefox\Profiles\lhm4dgxl.default\extensions

[2009/09/10 21:59:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\natalie bull\Application Data\Mozilla\Firefox\Profiles\lhm4dgxl.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/03/01 20:14:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/04 16:56:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2010/04/04 16:55:33 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2010/04/04 16:55:34 | 000,134,616 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2010/04/04 16:55:47 | 000,065,496 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2010/02/11 23:52:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2010/02/11 23:52:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2010/02/11 23:52:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2010/02/11 23:52:54 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2010/02/11 23:52:55 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2010/02/11 23:52:55 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2010/02/11 23:52:55 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2007/11/20 17:52:00 | 002,884,992 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

[2010/02/21 20:06:03 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml

[2010/02/21 20:06:03 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2010/02/21 20:06:03 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml

[2010/02/21 20:06:03 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2010/02/21 20:06:03 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml

[2010/02/21 20:06:03 | 000,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2010/02/21 20:06:04 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2010/02/21 20:06:04 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/06/05 22:29:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll (Sun Microsystems, Inc.)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)

O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: GinaDLL - (RtlGina2.dll) - C:\WINDOWS\System32\RtlGina2.dll ()

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\natalie bull\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\natalie bull\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/02/13 11:36:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\natalie bull\Application Data\iolo\) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/06 19:29:38 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\natalie bull\Desktop\OTL.exe

[2010/06/06 12:59:04 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/06/05 22:50:33 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/06/05 22:35:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2010/06/05 21:58:40 | 000,086,656 | ---- | C] (Microsoft Corporation) -- C:\atapi.sys

[2010/06/05 21:01:38 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/06/05 20:59:42 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/06/05 20:54:26 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/06/05 20:54:26 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/06/05 20:54:26 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/06/05 20:54:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/06/05 20:27:11 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/05/31 20:09:33 | 000,095,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys

[2010/05/30 23:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/05/30 23:15:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/05/30 22:51:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\natalie bull\Application Data\Malwarebytes

[2010/05/30 22:51:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/05/30 22:51:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/05/30 22:51:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/05/30 22:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/05/30 21:59:10 | 000,000,000 | ---D | C] -- C:\Program Files\$NtUninstallWTF1012$

========== Files - Modified Within 30 Days ==========

[2010/06/06 23:26:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/06 23:26:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/06 23:26:08 | 233,099,264 | -HS- | M] () -- C:\hiberfil.sys

[2010/06/06 19:29:41 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\natalie bull\Desktop\OTL.exe

[2010/06/06 13:00:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\natalie bull\ntuser.ini

[2010/06/06 13:00:07 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\natalie bull\ntuser.dat

[2010/06/06 03:57:01 | 000,003,993 | ---- | M] () -- C:\Documents and Settings\natalie bull\Desktop\virusrep.html

[2010/06/05 22:29:39 | 000,000,327 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/06/05 22:29:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/06/05 21:01:45 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2010/06/05 20:54:26 | 000,256,512 | R--- | M] () -- C:\WINDOWS\PEV.exe

[2010/06/05 20:47:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/06/05 20:24:29 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/05 15:53:26 | 003,702,826 | R--- | M] () -- C:\Documents and Settings\natalie bull\Desktop\ComboFix.exe

[2010/05/30 22:51:35 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/30 22:29:45 | 000,001,075 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/05/30 22:29:45 | 000,000,211 | ---- | M] () -- C:\Boot.bak

[2010/05/11 18:49:32 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/05/08 16:23:42 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

========== Files Created - No Company Name ==========

[2010/06/06 03:57:01 | 000,003,993 | ---- | C] () -- C:\Documents and Settings\natalie bull\Desktop\virusrep.html

[2010/06/05 21:01:45 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/06/05 21:01:39 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/06/05 20:59:42 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/06/05 20:54:26 | 000,256,512 | R--- | C] () -- C:\WINDOWS\PEV.exe

[2010/06/05 20:54:26 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/06/05 20:54:26 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/06/05 20:54:26 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/06/05 20:26:20 | 003,702,826 | R--- | C] () -- C:\Documents and Settings\natalie bull\Desktop\ComboFix.exe

[2010/05/30 22:51:35 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/05/30 22:43:36 | 233,099,264 | -HS- | C] () -- C:\hiberfil.sys

[2009/08/15 12:10:05 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll

[2009/08/15 12:10:01 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

[2009/08/15 12:09:24 | 000,422,504 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll

[2008/11/30 19:05:28 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys

[2006/11/25 21:18:26 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll

[2006/11/25 21:18:25 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll

[2006/11/04 18:31:42 | 000,002,735 | ---- | C] () -- C:\WINDOWS\DevMgr.ini

[2006/11/04 18:23:59 | 000,000,020 | ---- | C] () -- C:\WINDOWS\Hposcv07.INI

[2006/05/03 18:44:32 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\RtlGina2.dll

[2006/02/13 13:40:04 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/02/13 13:10:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2006/02/13 12:55:36 | 000,000,216 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2006/02/13 12:49:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI

[2006/02/13 12:45:25 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini

[2006/02/13 12:45:25 | 000,002,036 | R--- | C] () -- C:\WINDOWS\SVPW32Str.ini

[2006/02/13 12:39:26 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini

[2006/02/13 12:39:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll

[2006/02/13 12:39:26 | 000,009,362 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini

[2006/02/13 12:39:26 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini

[2006/02/13 11:40:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2006/02/13 10:20:48 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll

[2006/02/13 10:20:48 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/01/26 18:03:32 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll

[2005/12/08 19:56:50 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll

[2005/11/29 04:33:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2002/11/23 19:48:16 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\win2000.dll

[1999/07/05 11:00:00 | 000,073,867 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll

========== LOP Check ==========

[2008/10/12 19:12:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Graboid Inc

[2009/08/15 12:12:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo

[2008/10/12 19:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Launcher

[2010/02/12 00:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/08/15 10:52:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\iolo

[2007/01/26 21:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Kontiki

[2010/05/30 22:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Qulaap

[2009/11/07 12:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Samsung

[2006/11/04 17:02:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Template

[2000/01/01 08:11:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\toshiba

[2010/05/30 22:47:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\natalie bull\Application Data\Vazoom

========== Purity Check ==========

< End of report >

Extras txt is

OTL Extras logfile created on: 06/06/2010 19:30:58 - Run 1

OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\natalie bull\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.11)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

222.00 Mb Total Physical Memory | 59.00 Mb Available Physical Memory | 27.00% Memory free

545.00 Mb Paging File | 411.00 Mb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.26 Gb Total Space | 22.10 Gb Free Space | 59.31% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: NATALIE

Current User Name: natalie bull

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Value error.

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\WINDOWS\kdx\KHost.exe" = C:\WINDOWS\kdx\KHost.exe:*:Enabled:Delivery Manager -- (Kontiki Inc.)

"C:\Program Files\KService\KService.exe" = C:\Program Files\KService\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\WINDOWS\system32\spoolsv.exe" = C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"$NtUninstallWTF1012$" = Sky-Banners browser enhancer

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI card Driver

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant

"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9

"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10

"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java SE Runtime Environment 6

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3EB6332B-AF02-457C-A31C-835458C5B48B}" = TOSHIBA Manuals

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme

"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image 2006 Starter Edition Editor

"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan

"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image 2006 Starter Edition Library

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility

"{7B1F9CB1-349A-43F5-A742-6215C2E2DB6F}" = Toshiba Hotkey Utility

"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware

"{8E240C1C-25D0-4248-BC6C-ACC3472E35CE}" = SigmaTel MSCN Audio Player

"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver

"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!

"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker

"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer

"{A1C8D94A-4303-4489-B585-4B6E6CD408CB}" = OpenOffice.org 2.2

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter

"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes

"{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility

"6194C28A8F62DD817EA1B918E6E46E806A21B452" = Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)

"65B6FE5418CE28F4D72543FB2D964C3CEC83F161" = Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"All ATI Software" = ATI - Software Uninstall Utility

"ATI Display Driver" = ATI Display Driver

"CNXT_AUDIO" = Conexant AC-Link Audio

"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility

"InstallShield_{7B1F9CB1-349A-43F5-A742-6215C2E2DB6F}" = Toshiba Hotkey Utility

"InstallShield_{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = NETGEAR WG111v2 wireless USB 2.0 adapter

"InstallShield_{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PC Diagnostic Tool" = TOSHIBA PC Diagnostic Tool

"PictureItSuiteTrial_v11" = Microsoft Digital Image 2006 Starter Edition

"Power Saver" = TOSHIBA Power Saver

"RealPlayer 6.0" = RealPlayer

"ShockwaveFlash" = Adobe Flash Player 9 ActiveX

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"System Mechanic Professional 7_is1" = iolo technologies' System Mechanic Professional 7

"VLC media player" = VideoLAN VLC media player 0.8.6d

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format Runtime

"Windows Media Player" = Windows Media Player 10

"WinRAR archiver" = WinRAR archiver

"Xvid_is1" = Xvid 1.1.2 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"FHM Gaming Casino" = FHM Gaming Casino

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 11/02/2010 19:21:28 | Computer Name = NATALIE | Source = ESENT | ID = 494

Description = Catalog Database (908) Database recovery failed with error -1216 because

it encountered references to a database, 'C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb',

which is no longer present. The database was not brought to a consistent state

before it was removed (or possibly moved or renamed). The database engine will not

permit recovery to complete for this instance until the missing database is re-instated.

If the database is truly no longer available and no longer required, please contact

PSS for further instructions regarding the steps required in order to allow recovery

to proceed without this database.

Error - 11/02/2010 19:21:28 | Computer Name = NATALIE | Source = ESENT | ID = 454

Description = Catalog Database (908) Database recovery/restore failed with unexpected

error -1216.

Error - 21/02/2010 13:23:27 | Computer Name = NATALIE | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.0.3642, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 15/03/2010 18:49:29 | Computer Name = NATALIE | Source = Application Hang | ID = 1002

Description = Hanging application firefox.exe, version 1.9.0.3685, hang module hungapp,

version 0.0.0.0, hang address 0x00000000.

Error - 12/04/2010 15:39:29 | Computer Name = NATALIE | Source = Application Hang | ID = 1002

Description = Hanging application soffice.bin, version 1.9.9129.500, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 30/05/2010 17:17:54 | Computer Name = NATALIE | Source = Application Error | ID = 1000

Description = Faulting application gotnewupdate000.exe, version 0.1.0.0, faulting

module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 30/05/2010 17:41:15 | Computer Name = NATALIE | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting

module ipsmsnap32.dll, version 0.0.0.0, fault address 0x00001df9.

Error - 30/05/2010 17:45:14 | Computer Name = NATALIE | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting

module unknown, version 0.0.0.0, fault address 0x76f2347a.

Error - 30/05/2010 17:48:54 | Computer Name = NATALIE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 30/05/2010 17:48:54 | Computer Name = NATALIE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

[ System Events ]

Error - 30/05/2010 17:42:15 | Computer Name = NATALIE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss StarOpen Tcpip WS2IFSL

Error - 30/05/2010 17:44:04 | Computer Name = NATALIE | Source = Ftdisk | ID = 262189

Description = The system could not sucessfully load the crash dump driver.

Error - 30/05/2010 17:44:04 | Computer Name = NATALIE | Source = Ftdisk | ID = 262193

Description = Configuring the Page file for crash dump failed. Make sure there is

a page file on the boot partition and that is large enough to contain all physical

memory.

Error - 30/05/2010 18:04:26 | Computer Name = NATALIE | Source = DCOM | ID = 10010

Description = The server {0002DF01-0000-0000-C000-000000000046} did not register

with DCOM within the required timeout.

Error - 30/05/2010 18:06:29 | Computer Name = NATALIE | Source = DCOM | ID = 10010

Description = The server {0002DF01-0000-0000-C000-000000000046} did not register

with DCOM within the required timeout.

Error - 30/05/2010 18:14:52 | Computer Name = NATALIE | Source = DCOM | ID = 10010

Description = The server {0002DF01-0000-0000-C000-000000000046} did not register

with DCOM within the required timeout.

Error - 05/06/2010 15:24:27 | Computer Name = NATALIE | Source = Dhcp | ID = 1002

Description = The IP address lease 192.168.2.2 for the Network Card with network

address 0016E35DE7C3 has been denied by the DHCP server 192.168.2.1 (The DHCP Server

sent a DHCPNACK message).

Error - 05/06/2010 17:13:26 | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034

Description = The Application Layer Gateway Service service terminated unexpectedly.

It has done this 1 time(s).

Error - 05/06/2010 17:13:26 | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034

Description = The Print Spooler service terminated unexpectedly. It has done this

1 time(s).

Error - 05/06/2010 17:13:26 | Computer Name = NATALIE | Source = Service Control Manager | ID = 7034

Description = The Windows User Mode Driver Framework service terminated unexpectedly.

It has done this 1 time(s).

< End of report >

Link to post
Share on other sites

Great here are some free antivirus programs to use :

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free 9.0

This is just antivirus protection.

Antivir

=====================

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Kahdah, apologies for the delay in replying, I've been bombed at work. I've now done the above and everything seems to be working great again!

Thank you so much for your help, it's really appreciated and absolutely invaluable. I honestly don't know what I'd have done without your help.

I will be making a donation, but just wanted to say thank you here too.

All the very best and thanks again.

Brucey

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.