Jump to content

Unable to clean my PC up or run antivirus/antispyware applications


Simples
 Share

Recommended Posts

Hopefully someone can help me out here! If this post in the wrong section, can a mod please move it?

I have a Windows XP box (with SP3 installed) when booted up, it doesn't start up the explorer shell until I press CTRL+ALT+DEL to bring up the task manager and manually start explorer.exe ( I have to do the same step in Windows Safe Mode). I did have Microsoft Security essentials installed, but believed this was preventing Explorer from loading as the memory resources used by it was fairly large.

I then uninstalled Microsoft Security Essentials which didn't help matters so I then did a system restore to the last time the PC worked. This still hasn't help me at all and the system restore has brought back some remnants of Security Essentials.

I've now downloaded Malwarebytes but am unable to run it even when I change the installer name to something completly different (and I've changed the extension type as well) but this has made no difference.

I also appear unable to install or run most anti-virus applications and malware scanners including HiJackThis. I have managed to get TrojanRemover installed and can do a Fast Scan, but am unable to run the main application. The Fast Scan reports the following warnings:

***

This file is loaded by the Windows Registry

bywtrq.dll

A file with this name "has not" been found (it may be hidden)

Thie file is called from the following registry key

HLKM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"efcdbasys"

THIS FILE IS A TROJAN HORSE

Appears to contain TROJAN.VIRTUMONDE (HEURISTIC DETECTION)

***

This file is loaded by the Windows Registry

iihhef.dll

A file with this name "has not" been found (it may be hidden)

Thie file is called from the following registry key

HLKM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"geebabsys"

THIS FILE IS A TROJAN HORSE

Appears to contain TROJAN.VIRTUMONDE (HEURISTIC DETECTION)

***

I would appreciate any pointers / tips to get this fixed.

Thanks in advance

Link to post
Share on other sites

Hello Simples

Welcome to Malwarebytes.

See if you can get these to run

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

  • Note since it is in rar format and if you do not have anyhting that will open it then you can download 7 zip and use it to extract the data it can be found
here:
Right click on the .rar file and choose extract files.
Double-click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it, typically your desktop. Click Close
Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

RkU Results

****

>Drivers

>Stealth

>Files

>Hooks

ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeJump at address 0x80504524 hook handler located in [ntkrnlpa.exe]

ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump at address 0x80545CBE hook handler located in [ntkrnlpa.exe]

[256]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040106C hook handler located in [shimeng.dll]

[256]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401098 hook handler located in [aclayers.dll]

[256]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010E8 hook handler located in [aclayers.dll]

[256]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004010C0 hook handler located in [aclayers.dll]

[256]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump at address 0x7E42B3C6 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E42820F hook handler located in [ieframe.dll]

[256]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump at address 0x7E42D5F3 hook handler located in [ieframe.dll]

[256]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB676F hook handler located in [winbdm.dll]

[256]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB4C27 hook handler located in [winbdm.dll]

[256]iexplore.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4CB5 hook handler located in [winbdm.dll]

[2604]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]

[3172]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040106C hook handler located in [shimeng.dll]

[3172]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401098 hook handler located in [aclayers.dll]

[3172]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010E8 hook handler located in [aclayers.dll]

[3172]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004010C0 hook handler located in [aclayers.dll]

[3172]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]

[3172]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB676F hook handler located in [winbdm.dll]

[3172]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB4C27 hook handler located in [winbdm.dll]

[3172]iexplore.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71AB4CB5 hook handler located in [winbdm.dll]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

*******************

OTL Results

***

OTL logfile created on: 13/11/2010 15:08:45 - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Stuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 1397.25 Gb Total Space | 168.14 Gb Free Space | 12.03% Space Free | Partition Type: NTFS

Drive F: | 1397.26 Gb Total Space | 157.42 Gb Free Space | 11.27% Space Free | Partition Type: NTFS

Computer Name: HTPC-570CD457B5 | User Name: HTPC | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Stuff\OTL.exe (OldTimer Tools)

PRC - C:\Documents and Settings\HTPC\Application Data\regsdkrl32\regsdkrl43.exe ()

PRC - C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe (doubleTwist Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)

PRC - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)

PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)

========== Modules (SafeList) ==========

MOD - C:\Stuff\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\winphost.dll ()

MOD - C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (WinVNC4) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.)

========== Driver Services (SafeList) ==========

DRV - (AnyDVD) -- C:\WINDOWS\system32\drivers\AnyDVD.sys (SlySoft, Inc.)

DRV - (iPodDrv) -- C:\WINDOWS\system32\drivers\iPodDrv.sys (Windows ® Codename Longhorn DDK provider)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()

DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )

DRV - ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}) -- C:\Program Files\CyberLink\PowerDVD8\000.fcl (CyberLink Corp.)

DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)

DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)

DRV - (VClone) -- C:\WINDOWS\system32\drivers\VClone.sys (Elaborate Bytes AG)

DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()

DRV - (VIAHdAudAddService) -- C:\WINDOWS\system32\drivers\viahduaa.sys (VIA Technologies, Inc.)

DRV - (AsUpIO) -- C:\WINDOWS\system32\drivers\AsUpIO.sys ()

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (IrBus) -- C:\WINDOWS\system32\drivers\IrBus.sys (Microsoft Corporation)

DRV - (amdide) -- C:\WINDOWS\system32\DRIVERS\amdide.sys (Advanced Micro Devices)

DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)

DRV - (pgfilter) -- C:\Program Files\PeerGuardian2\pgfilter.sys ()

DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)

DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()

DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/02/17 20:50:31 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010/07/11 17:55:36 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/11/07 13:52:48 | 000,424,797 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 14641 more lines...

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (PodcastBHO Class) - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe ()

O4 - HKLM..\Run: [CTF Products Updater] C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()

O4 - HKLM..\Run: [efcdbasys] File not found

O4 - HKLM..\Run: [geebabsys] File not found

O4 - HKLM..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe (VIA Technologies, Inc.)

O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)

O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [doubleTwist] C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe (doubleTwist Corporation)

O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)

O4 - HKCU..\Run: [regsdkrl32] C:\Documents and Settings\HTPC\Application Data\regsdkrl32\regsdkrl43.exe ()

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)

O4 - HKCU..\Run: [Windows Dumper Host] C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1266437170093 (MUWebControl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O20 - AppInit_DLLs: (C:\WINDOWS\system32\winphost.dll) - C:\WINDOWS\system32\winphost.dll ()

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (bywtrq.dll) - File not found

O30 - LSA: Authentication Packages - (iihhef.dll) - File not found

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/02/17 19:25:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell - "" = AutoRun

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell - "" = AutoRun

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell\AutoRun\command - "" = G:\TotalLock.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/13 11:36:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\My Documents\Simply Super Software

[2010/11/12 23:18:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/11/12 23:08:53 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll

[2010/11/12 23:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover

[2010/11/12 23:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software

[2010/11/12 22:40:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/11/12 22:01:16 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\HTPC\Desktop\steam.exe

[2010/11/12 22:01:10 | 000,000,000 | ---D | C] -- C:\Stuff

[2010/11/07 13:58:32 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc70.dll

[2010/11/07 13:58:32 | 000,487,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp70.dll

[2010/11/07 13:58:32 | 000,344,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr70.dll

[2010/11/07 13:58:30 | 000,000,000 | ---D | C] -- C:\Program Files\AML Products

[2010/11/07 01:19:25 | 000,140,288 | ---- | C] (GnuWin32 <http://gnuwin32.sourceforge.net>) -- C:\WINDOWS\System32\pcre3.dll

[2010/11/07 01:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Transformers Revenge of the Fallen[2009]DvDrip-aXXo

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Windows 7 - 70-680

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Laptop Films

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Desire-Prepped

[2010/11/07 01:15:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\The House Bunny

[2010/11/07 01:15:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\OpenOffice.org 3.2 (en-GB) Installation Files

[2010/11/07 01:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\AsusUpdt_V71706

[2010/11/07 01:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010/11/07 00:23:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET

[2010/11/07 00:21:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy

[2010/11/07 00:21:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$

[2010/10/24 21:07:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

[2010/02/18 21:28:11 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\HTPC\Application Data\pcouffin.sys

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/13 11:44:58 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AC5922AC-F773-4497-964D-B4598D80EB80}.job

[2010/11/13 11:37:05 | 000,502,810 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/11/13 11:37:05 | 000,088,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/11/13 11:33:49 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/13 11:28:42 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/11/13 11:28:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/11/13 11:28:30 | 2146,619,392 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/12 22:50:40 | 000,000,358 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\fix.reg

[2010/11/12 22:40:58 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\HiJackThis.lnk

[2010/11/12 21:22:32 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\HTPC\Desktop\steam.exe

[2010/11/08 07:03:56 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job

[2010/11/07 20:12:24 | 000,248,832 | ---- | M] () -- C:\Documents and Settings\HTPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/11/07 13:58:36 | 000,000,781 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\AML Free Registry Cleaner.lnk

[2010/11/07 13:52:48 | 000,424,797 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/11/07 01:19:25 | 000,140,288 | ---- | M] (GnuWin32 <http://gnuwin32.sourceforge.net>) -- C:\WINDOWS\System32\pcre3.dll

[2010/11/07 01:19:25 | 000,039,936 | ---- | M] () -- C:\WINDOWS\System32\winphost.dll

[2010/11/07 01:19:25 | 000,039,936 | ---- | M] () -- C:\WINDOWS\System32\b_ctfmn.dll

[2010/11/07 01:16:12 | 000,111,616 | -H-- | M] () -- C:\WINDOWS\System32\kheffe.dll

[2010/11/07 01:14:24 | 000,101,888 | -H-- | M] () -- C:\WINDOWS\System32\ssqrqr.dll

[2010/11/07 00:22:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/11/03 22:00:20 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/10/26 19:13:59 | 000,120,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/10/24 21:12:00 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/10/24 21:07:54 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/10/19 20:51:33 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/12 23:08:53 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll

[2010/11/12 23:08:53 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll

[2010/11/12 23:08:53 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll

[2010/11/12 23:08:53 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll

[2010/11/12 22:50:40 | 000,000,358 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\fix.reg

[2010/11/12 22:40:58 | 000,001,982 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\HiJackThis.lnk

[2010/11/12 22:37:40 | 2146,619,392 | -HS- | C] () -- C:\hiberfil.sys

[2010/11/07 13:58:36 | 000,000,781 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\AML Free Registry Cleaner.lnk

[2010/11/07 01:23:15 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/07 01:19:26 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\b_ctfmn.dll

[2010/11/07 01:19:25 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\winphost.dll

[2010/11/07 00:46:27 | 000,101,888 | -H-- | C] () -- C:\WINDOWS\System32\ssqrqr.dll

[2010/11/06 11:59:02 | 000,111,616 | -H-- | C] () -- C:\WINDOWS\System32\kheffe.dll

[2010/11/03 22:00:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/10/24 21:07:54 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/05/30 21:45:24 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll

[2010/05/30 21:45:24 | 000,011,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsUpIO.sys

[2010/05/30 21:45:24 | 000,011,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys

[2010/05/11 19:56:06 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2010/02/18 21:28:15 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.log

[2010/02/18 21:28:11 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\inst.exe

[2010/02/18 21:28:11 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.cat

[2010/02/18 21:28:11 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.inf

[2010/02/18 20:00:33 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2010/02/18 20:00:10 | 000,021,755 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2010/02/18 20:00:08 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2010/02/18 19:31:16 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib

[2010/02/17 21:38:59 | 000,248,832 | ---- | C] () -- C:\Documents and Settings\HTPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/17 19:58:38 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2010/02/17 19:34:00 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini

[2010/02/17 19:33:27 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2010/02/17 03:18:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[1996/04/03 19:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010/03/28 14:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canneverbe Limited

[2010/02/17 19:58:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2010/07/14 20:57:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\doubleTwist Corporation

[2010/11/12 23:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software

[2010/04/24 22:44:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft

[2010/05/11 17:41:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Team MediaPortal

[2010/02/18 19:13:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp

[2010/08/03 17:53:56 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{1C53AEFE-978A-4FA2-896E-FD4330A2EACC}

[2010/02/23 19:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2010/08/02 21:07:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\calibre

[2010/03/28 14:22:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\Canneverbe Limited

[2010/02/18 20:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\DAEMON Tools Lite

[2010/02/18 21:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\HandBrake

[2010/05/22 09:23:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\ImgBurn

[2010/03/12 19:48:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\IObit

[2010/08/03 17:57:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\Key Metric Software

[2010/04/26 22:04:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\MoveFab

[2010/07/11 18:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\OpenOffice.org

[2010/03/24 22:36:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\Red Kawa

[2010/08/03 17:53:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\regsdkrl32

[2010/11/13 15:06:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\uTorrent

[2010/02/18 21:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\Vso

[2010/11/13 11:33:49 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2010/11/08 07:03:56 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag.job

[2010/11/13 11:44:58 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{AC5922AC-F773-4497-964D-B4598D80EB80}.job

========== Purity Check ==========

< End of report >

************

Extras Results

***

OTL Extras logfile created on: 13/11/2010 15:08:45 - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Stuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 1397.25 Gb Total Space | 168.14 Gb Free Space | 12.03% Space Free | Partition Type: NTFS

Drive F: | 1397.26 Gb Total Space | 157.42 Gb Free Space | 11.27% Space Free | Partition Type: NTFS

Computer Name: HTPC-570CD457B5 | User Name: HTPC | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [MediaMonkey.1Play] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" "%1" (Ventis Media Inc.)

Directory [MediaMonkey.2PlayNext] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" /NEXT "%1" (Ventis Media Inc.)

Directory [MediaMonkey.3Enqueue] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" /ADD "%1" (Ventis Media Inc.)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"35169:TCP" = 35169:TCP:*:Enabled:Torrent35169TCP

"35169:UDP" = 35169:UDP:*:Enabled:Torrent35169UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe" = C:\Program Files\Team MediaPortal\MediaPortal\MediaPortal.exe:LocalSubNet:Enabled:MediaPortal -- (Team MediaPortal)

"C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Desktop Listener.exe" = C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Desktop Listener.exe:*:Enabled:LM Remote KeyMap Desktop Listener -- File not found

"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

Link to post
Share on other sites

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

For you this means Utorrent.

Please uninstall that before proceeding.

========================

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    MOD - C:\WINDOWS\system32\winphost.dll ()
    MOD - C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()
    O4 - HKLM..\Run: [CTF Products Updater] C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()
    O4 - HKLM..\Run: [efcdbasys] File not found
    O4 - HKLM..\Run: [geebabsys] File not found
    O4 - HKCU..\Run: [regsdkrl32] C:\Documents and Settings\HTPC\Application Data\regsdkrl32\regsdkrl43.exe ()
    O4 - HKCU..\Run: [Windows Dumper Host] C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll ()
    O20 - AppInit_DLLs: (C:\WINDOWS\system32\winphost.dll) - C:\WINDOWS\system32\winphost.dll ()
    O30 - LSA: Authentication Packages - (bywtrq.dll) - File not found
    O30 - LSA: Authentication Packages - (iihhef.dll) - File not found
    [2010/11/07 01:19:25 | 000,039,936 | ---- | M] () -- C:\WINDOWS\System32\winphost.dll
    [2010/11/07 01:19:25 | 000,039,936 | ---- | M] () -- C:\WINDOWS\System32\b_ctfmn.dll
    [2010/11/07 01:16:12 | 000,111,616 | -H-- | M] () -- C:\WINDOWS\System32\kheffe.dll
    [2010/11/07 01:14:24 | 000,101,888 | -H-- | M] () -- C:\WINDOWS\System32\ssqrqr.dll
    [2010/08/03 17:53:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HTPC\Application Data\regsdkrl32


    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Stand alone scanner=================================

Please click here to download Kaspersky Virus Removal Tool.

  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

uTorrent now uninstalled.

Kapersky Results

*****************

Autoscan: completed 10 hours ago (events: 28, objects: 387658, time: 02:38:11)

Autoscan: completed 31 minutes ago (events: 8, objects: 139291, time: 00:41:03)

14/11/2010 12:13:59 Task started

14/11/2010 12:49:37 Detected: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037244.dll

14/11/2010 12:49:37 Detected: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037245.dll

14/11/2010 12:49:37 Detected: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037243.dll

14/11/2010 12:49:38 Deleted: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037244.dll

14/11/2010 12:49:42 Deleted: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037243.dll

14/11/2010 12:49:45 Deleted: not-a-virus:FraudTool.Win32.DiskCleanup.l C:\System Volume Information\_restore{1D1F2EFD-8EC1-498A-AC77-8067B1645257}\RP226\A0037245.dll

14/11/2010 12:55:02 Task completed

OTL Results

*********

All processes killed

========== OTL ==========

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\CTF Products Updater deleted successfully.

C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\efcdbasys deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\geebabsys deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\regsdkrl32 deleted successfully.

C:\Documents and Settings\HTPC\Application Data\regsdkrl32\regsdkrl43.exe moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Dumper Host deleted successfully.

File C:\Documents and Settings\HTPC\Local Settings\Temp\winbdm.dll not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\winphost.dll deleted successfully.

C:\WINDOWS\system32\winphost.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:bywtrq.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:iihhef.dll deleted successfully.

File C:\WINDOWS\System32\winphost.dll not found.

C:\WINDOWS\system32\b_ctfmn.dll moved successfully.

File C:\WINDOWS\System32\kheffe.dll not found.

File C:\WINDOWS\System32\ssqrqr.dll not found.

C:\Documents and Settings\HTPC\Application Data\regsdkrl32 folder moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: bob

->Temp folder emptied: 2217 bytes

->Temporary Internet Files folder emptied: 9579341 bytes

->Flash cache emptied: 42076 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41620 bytes

User: HTPC

->Temp folder emptied: 104669 bytes

->Temporary Internet Files folder emptied: 196104945 bytes

->Java cache emptied: 550278 bytes

->Flash cache emptied: 87302 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 823080 bytes

->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 2402044 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 54249 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 67284096 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 3836418473 bytes

Total Files Cleaned = 3,923.00 mb

OTL by OldTimer - Version 3.2.17.3 log created on 11132010_210227

Files\Folders moved on Reboot...

C:\Documents and Settings\HTPC\Local Settings\Temporary Internet Files\Content.IE5\NPTA0NHO\index[2].htm moved successfully.

C:\Documents and Settings\HTPC\Local Settings\Temporary Internet Files\Content.IE5\9BN8ZDMV\iframe[1].htm moved successfully.

C:\Documents and Settings\HTPC\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

C:\Documents and Settings\HTPC\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...

M-Ware Results

************

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5109

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

13/11/2010 23:43:35

mbam-log-2010-11-13 (23-43-35).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 261881

Time elapsed: 43 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnonolsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khghiisys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnonolsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khghiisys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctf products updater (Password.Stealer) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\HTPC\regsdkrl43.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Laptop Downloads\Your Uninstaller 2008 Pro v 6.1.1231 + Indianboy\Keygen\Keygen.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\11132010_210227\C_Documents and Settings\HTPC\Application Data\regsdkrl32\regsdkrl43.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

PC appears to be working fine now. Explorer loads up by itself now on boot-up. I see I have a few entries in my HOSTS file. Should they be left there or can I remove them?

I'm not sure if the entries are fallout from the infection I had or if Spybot put the entries in there.

On boot-up I get a warning about MS Security Essentials and I'm advised to reinstalll it. I expect this is because I originally uninstalled it and then did a system restore which has brought back a few files/links. Opening the application simply brings up the message again. Any objections to reinstalling?

Message reads:

Micorosft Security Essentials

An error has occurred in the program. Try to open it again. If the problem continues, you'll need to reinstall Micorosft Security Essentials from the Micorosft Downloa Centre

Error code: 0x80070715

OTL Report

***

OTL logfile created on: 14/11/2010 17:29:36 - Run 2

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Stuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 1397.25 Gb Total Space | 172.40 Gb Free Space | 12.34% Space Free | Partition Type: NTFS

Drive F: | 1397.26 Gb Total Space | 157.42 Gb Free Space | 11.27% Space Free | Partition Type: NTFS

Computer Name: HTPC-570CD457B5 | User Name: HTPC | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Stuff\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe (doubleTwist Corporation)

PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)

PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

PRC - C:\Program Files\RealVNC\VNC4\winvnc4.exe (RealVNC Ltd.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)

========== Modules (SafeList) ==========

MOD - C:\Stuff\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (F9718149) -- C:\WINDOWS\System32\F9718149.exe File not found

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)

SRV - (WinVNC4) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe (RealVNC Ltd.)

========== Driver Services (SafeList) ==========

DRV - (AnyDVD) -- C:\WINDOWS\system32\drivers\AnyDVD.sys (SlySoft, Inc.)

DRV - (iPodDrv) -- C:\WINDOWS\system32\drivers\iPodDrv.sys (Windows ® Codename Longhorn DDK provider)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()

DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )

DRV - ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}) -- C:\Program Files\CyberLink\PowerDVD8\000.fcl (CyberLink Corp.)

DRV - (ElbyCDIO) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys (Elaborate Bytes AG)

DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)

DRV - (VClone) -- C:\WINDOWS\system32\drivers\VClone.sys (Elaborate Bytes AG)

DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()

DRV - (VIAHdAudAddService) -- C:\WINDOWS\system32\drivers\viahduaa.sys (VIA Technologies, Inc.)

DRV - (AsUpIO) -- C:\WINDOWS\system32\drivers\AsUpIO.sys ()

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (IrBus) -- C:\WINDOWS\system32\drivers\IrBus.sys (Microsoft Corporation)

DRV - (amdide) -- C:\WINDOWS\system32\DRIVERS\amdide.sys (Advanced Micro Devices)

DRV - (AmdPPM) -- C:\WINDOWS\system32\drivers\AmdPPM.sys (Advanced Micro Devices)

DRV - (pgfilter) -- C:\Program Files\PeerGuardian2\pgfilter.sys ()

DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)

DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()

DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2010/11/07 13:52:48 | 000,424,797 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 14641 more lines...

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (PodcastBHO Class) - {65134FDF-F8A5-4B3D-91D9-CDF273CFD578} - C:\Program Files\Common Files\doubleTwist\IEPodcastPlugin.dll (doubleTwist Corporation)

O4 - HKLM..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker.exe ()

O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe (Simply Super Software)

O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)

O4 - HKCU..\Run: [doubleTwist] C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe (doubleTwist Corporation)

O4 - HKCU..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe (Phoenix Labs)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1266437170093 (MUWebControl Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010/02/17 19:25:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell - "" = AutoRun

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{7ae101b0-1ed1-11df-9ae5-96efb1274098}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell - "" = AutoRun

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{b779b6d2-2e0e-11df-ad13-8e8aaeb16160}\Shell\AutoRun\command - "" = G:\TotalLock.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/14 12:12:42 | 000,000,000 | -HSD | C] -- C:\Config.Msi

[2010/11/13 21:08:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Application Data\Malwarebytes

[2010/11/13 21:08:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/11/13 21:08:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/11/13 21:08:08 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/11/13 21:08:08 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/11/13 21:02:27 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/11/13 11:36:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\My Documents\Simply Super Software

[2010/11/12 23:18:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/11/12 23:08:53 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ztvcabinet.dll

[2010/11/12 23:08:35 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover

[2010/11/12 23:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Simply Super Software

[2010/11/12 22:40:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/11/12 22:01:16 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\HTPC\Desktop\steam.exe

[2010/11/12 22:01:10 | 000,000,000 | ---D | C] -- C:\Stuff

[2010/11/07 13:58:32 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc70.dll

[2010/11/07 13:58:32 | 000,487,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp70.dll

[2010/11/07 13:58:32 | 000,344,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr70.dll

[2010/11/07 13:58:30 | 000,000,000 | ---D | C] -- C:\Program Files\AML Products

[2010/11/07 01:19:25 | 000,140,288 | ---- | C] (GnuWin32 <http://gnuwin32.sourceforge.net>) -- C:\WINDOWS\System32\pcre3.dll

[2010/11/07 01:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Transformers Revenge of the Fallen[2009]DvDrip-aXXo

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Windows 7 - 70-680

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Laptop Films

[2010/11/07 01:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\Desire-Prepped

[2010/11/07 01:15:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\The House Bunny

[2010/11/07 01:15:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\OpenOffice.org 3.2 (en-GB) Installation Files

[2010/11/07 01:15:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HTPC\Desktop\AsusUpdt_V71706

[2010/11/07 01:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials

[2010/11/07 00:23:39 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET

[2010/11/07 00:21:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy

[2010/11/07 00:21:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$

[2010/10/24 21:07:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

[2010/02/18 21:28:11 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\HTPC\Application Data\pcouffin.sys

========== Files - Modified Within 30 Days ==========

[2010/11/14 17:29:46 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/14 17:27:59 | 000,502,810 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/11/14 17:27:59 | 000,088,272 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/11/14 17:24:03 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/11/14 17:23:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/11/14 17:23:44 | 2146,619,392 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/14 12:49:42 | 000,001,478 | -HS- | M] () -- C:\WINDOWS\setup_9.0.0.722_14.11.2010_02-16[1]drv.spi

[2010/11/14 12:14:21 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AC5922AC-F773-4497-964D-B4598D80EB80}.job

[2010/11/13 21:08:13 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/13 18:13:52 | 000,248,832 | ---- | M] () -- C:\Documents and Settings\HTPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/11/12 22:50:40 | 000,000,358 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\fix.reg

[2010/11/12 22:40:58 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\HiJackThis.lnk

[2010/11/12 21:22:32 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\HTPC\Desktop\steam.exe

[2010/11/08 07:03:56 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job

[2010/11/07 13:58:36 | 000,000,781 | ---- | M] () -- C:\Documents and Settings\HTPC\Desktop\AML Free Registry Cleaner.lnk

[2010/11/07 13:52:48 | 000,424,797 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/11/07 01:19:25 | 000,140,288 | ---- | M] (GnuWin32 <http://gnuwin32.sourceforge.net>) -- C:\WINDOWS\System32\pcre3.dll

[2010/11/07 00:22:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/11/03 22:00:20 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/10/26 19:13:59 | 000,120,544 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/10/24 21:12:00 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk

[2010/10/24 21:07:54 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/10/19 20:51:33 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

========== Files Created - No Company Name ==========

[2010/11/14 02:08:01 | 000,001,478 | -HS- | C] () -- C:\WINDOWS\setup_9.0.0.722_14.11.2010_02-16[1]drv.spi

[2010/11/13 21:08:13 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/12 23:08:53 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll

[2010/11/12 23:08:53 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll

[2010/11/12 23:08:53 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll

[2010/11/12 23:08:53 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll

[2010/11/12 22:50:40 | 000,000,358 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\fix.reg

[2010/11/12 22:40:58 | 000,001,982 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\HiJackThis.lnk

[2010/11/12 22:37:40 | 2146,619,392 | -HS- | C] () -- C:\hiberfil.sys

[2010/11/07 13:58:36 | 000,000,781 | ---- | C] () -- C:\Documents and Settings\HTPC\Desktop\AML Free Registry Cleaner.lnk

[2010/11/07 01:23:15 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2010/11/03 22:00:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/10/24 21:07:54 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

[2010/05/30 21:45:24 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll

[2010/05/30 21:45:24 | 000,011,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsUpIO.sys

[2010/05/30 21:45:24 | 000,011,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys

[2010/05/11 19:56:06 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2010/02/18 21:28:15 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.log

[2010/02/18 21:28:11 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\inst.exe

[2010/02/18 21:28:11 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.cat

[2010/02/18 21:28:11 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\pcouffin.inf

[2010/02/18 20:00:33 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys

[2010/02/18 20:00:10 | 000,021,755 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini

[2010/02/18 20:00:08 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS

[2010/02/18 19:31:16 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib

[2010/02/17 21:38:59 | 000,248,832 | ---- | C] () -- C:\Documents and Settings\HTPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/17 19:58:38 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys

[2010/02/17 19:34:00 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini

[2010/02/17 19:33:27 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2010/02/17 03:18:41 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[1996/04/03 19:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

< End of report >

Link to post
Share on other sites

I see I have a few entries in my HOSTS file. Should they be left there or can I remove them?

Yes they are put there by Spybot.

Yes you will need to reinstall Microsoft Security Essentials.

================================

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    SRV - (F9718149) -- C:\WINDOWS\System32\F9718149.exe File not found
    [2010/02/18 21:28:11 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\HTPC\Application Data\inst.exe


  • Then click the Run Fix button at the top
  • Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  • Please post that log in your next reply.

Link to post
Share on other sites

Thanks - will get MS Sec.Ess reinstalled.

OTL Report

***

========== OTL ==========

Service F9718149 stopped successfully!

Service F9718149 deleted successfully!

File C:\WINDOWS\System32\F9718149.exe File not found not found.

C:\Documents and Settings\HTPC\Application Data\inst.exe moved successfully.

OTL by OldTimer - Version 3.2.17.3 log created on 11142010_203353

Link to post
Share on other sites

Great please delete this file : C:\WINDOWS\tasks\SmartDefrag.job you can paste C:\Windows\Tasks into the run box and hit ok to open the folder and the file will be there.

============

======Cleanup======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

The last few steps have gone through smoothly without any hiccups.

Thanks for your quick and able assisstance kahdah - it is very much appreciated and gratefully recieved as everything now appears to be back to normal. I think this thread can be closed down.

With regards

Simples

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.