Jump to content


Photo

Help: Bad Image Error


  • This topic is locked This topic is locked
51 replies to this topic

#21 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 06 September 2011 - 05:41 PM

Hi JonTom,

This looks like the older log you're looking for.


Old ComboFix Log:

ComboFix 11-08-29.03 - Mark 08/29/2011 20:08:05.1.4 - x86
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\INSTALL.LOG
c:\program files\Steam\Steam.exe
.
c:\windows\system32\cryptsvc.dll . . . is infected!!
.
c:\windows\system32\netman.dll . . . is infected!!
.
c:\windows\system32\ksuser.dll . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
c:\windows\system32\srsvc.dll . . . is infected!!
.
c:\windows\pchealth\helpctr\binaries\pchsvc.dll . . . is infected!!
.
Infected copy of c:\windows\system32\ksuser.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{6DB2D010-E188-48A6-A25F-B6F6112F95C1}\RP6\A0005383.dll
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))
.
.
2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif
2011-06-02 17:53 . 2011-06-02 17:53 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-06-02 14:02 . 2004-08-12 14:09 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-04-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-07-26 1025352]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-04-15 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 27216]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]
.
2011-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Steam - c:\program files\Steam\Steam.exe
SafeBoot-Wdf01000.sys
AddRemove-Steam App 500 - c:\program files\Steam\steam.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-29 22:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,
33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-29 22:08:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-30 02:08
.
Pre-Run: 207,370,731,520 bytes free
Post-Run: 213,285,609,472 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - D2B1F4D5222571EED18D9AE3ACD844C3

#22 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 07 September 2011 - 01:20 PM

Hello El Kabong

Thank you for retrieving that first ComboFix log :tup:

Your system is certainly having its fair share of problems. Do you use the program "steam" at all? The reason I ask is that it appears it may have been mistakenly removed from your machine as a result of a false positive detection. If you do use it let me know and we can try and get it back for you.

Lets continue as follows:


  • Please run the following command


    • Click on "Start" and then on "Run"
    • Type cmd then press OK or hit Enter.
    • A command prompt will appear.
    • At the command prompt, type or copy/paste the following: NET START CRYPTSVC
    • Hit Enter.
    • Type exit to close the command window.
    • Please post any errors or messages you receive in your next reply.

  • Please work through the following steps


    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      FCopy::
      C:\WINDOWS\ServicePackFiles\i386\netman.dll | C:\WINDOWS\system32\netman.dll
      C:\WINDOWS\ServicePackFiles\i386\srsvc.dll | C:\WINDOWS\system32\srsvc.dll

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      Posted Image

    • If ComboFix informs you that an update is available, allow it to install.
    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

    Please post the ComboFix log in your next reply.

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#23 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 07 September 2011 - 07:57 PM

Hi JonTom.

I do in fact use Steam. It would be great to recover it at some point, thank you. I had thought to simply re-install it... after. lol

Starting cryptsvc we off without a problem. No errors of messages.


Here is the Combofix log:

ComboFix 11-09-07.04 - Mark 09/07/2011 19:36:28.6.4 - x86
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\netman.dll --> c:\windows\system32\netman.dll
c:\windows\ServicePackFiles\i386\srsvc.dll --> c:\windows\system32\srsvc.dll
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-02 22:45 . 2011-09-02 22:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-31 00:48 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-31 00:48 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-31 00:48 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-31 00:48 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-31 00:48 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-31 00:48 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-31 00:48 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-31 00:48 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-31 00:47 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-31 00:47 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\program files\AVAST Software
2011-08-31 00:47 . 2011-08-31 00:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVAST Software
2011-08-30 02:16 . 2011-08-30 02:16 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2011-08-30 02:15 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-30 02:15 . 2011-08-30 02:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-08-30 02:15 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 07:26 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 07:22 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-12 14:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-12 14:01 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2009-03-14 02:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:45 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:45 . 2004-08-12 13:58 1830912 ------w- c:\windows\system32\inetcpl.cpl
2011-06-21 18:45 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:45 . 2004-08-12 13:56 17408 ------w- c:\windows\system32\corpol.dll
2011-06-21 11:47 . 2004-08-12 13:57 389120 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-12 14:09 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-11 22:59 . 2011-06-11 22:59 2829 ----a-w- c:\windows\DIIUnin.pif
2011-04-14 16:26 . 2011-06-11 20:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2011-08-30_01.59.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-31 00:50 . 2011-08-31 00:50 24064 c:\windows\Installer\3a4b2d3.msi
+ 2010-09-21 04:07 . 2010-09-21 04:07 70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobeextractfiles.dll
+ 2011-09-02 22:45 . 2011-09-02 22:45 243360 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe
+ 2011-09-02 22:45 . 2011-09-02 22:45 328864 c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.dll
+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\readerupdater.exe
+ 2010-09-21 04:07 . 2010-09-21 04:07 932288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\adobearm.exe
+ 2010-09-21 04:07 . 2010-09-21 04:07 338856 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0400000010\9.4.0\acrobatupdater.exe
+ 2011-06-08 04:39 . 2011-06-08 04:39 19798016 c:\windows\Installer\38383.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"ANT Agent"="c:\program files\Garmin\ANT Agent\ANT Agent.exe" [2010-05-20 12026216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-31 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedIIGame.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\AssassinsCreedII.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed II\\UPlayBrowser.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-17 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 34178558
*Deregistered* - 34178558
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]
.
2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 22:17]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cfbef19&v=7.007.026.001&i=23&tp=ab&iy=&ychte=ca&lng=en-US&q=
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-07 20:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-1715567821-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:ff,36,9c,25,70,b3,59,1f,32,bd,ad,4b,46,78,10,58,0e,73,1e,a5,13,
33,06,e2,82,ea,e7,db,8c,40,a9,70,c8,cf,eb,13,ed,9e,43,74,d6,25,02,98,df,ef,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3672)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-09-07 20:46:23
ComboFix-quarantined-files.txt 2011-09-08 00:46
ComboFix2.txt 2011-09-05 22:19
ComboFix3.txt 2011-09-04 21:48
ComboFix4.txt 2011-09-04 16:38
ComboFix5.txt 2011-09-07 23:33
.
Pre-Run: 219,249,684,480 bytes free
Post-Run: 219,272,200,192 bytes free
.
- - End Of File - - 7A9E198DFF5E6785CF37513E8887FFBF

#24 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 08 September 2011 - 01:59 AM

Hello El Kabong

I do in fact use Steam

Lets see if we can find it and get it restored.

Please navigate to the following location and post the log in your next reply.

C:\Qoobox\ComboFix-quarantined-files.txt
Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#25 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 08 September 2011 - 04:05 AM

Hi JonTom.


Here sis the ComboFix quarantined log;

2011-09-05 21:06:11 . 2011-09-05 21:06:11 1,010 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_meika.reg.dat
2011-09-05 20:55:05 . 2011-09-07 23:35:57 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-09-01 01:44:32 . 2011-09-01 01:44:32 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-08-30 02:08:11 . 2011-08-30 02:08:11 1,174 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat
2011-08-30 02:08:11 . 2011-08-30 02:08:11 1,166 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Steam App 500.reg.dat
2011-08-30 02:08:03 . 2011-08-30 02:08:03 558 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-Wdf01000.sys.reg.dat
2011-08-30 02:07:57 . 2011-08-30 02:07:57 79 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat
2011-08-30 00:11:39 . 2011-09-07 23:48:13 5,930 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-08-29 23:56:46 . 2011-09-07 23:33:16 408 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-09-14 16:57:44 . 2011-08-13 22:48:23 1,242,448 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Steam\Steam.exe.vir
2009-03-14 02:10:33 . 2008-04-14 00:11:56 4,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ksuser.dll.vir
2009-03-14 02:02:06 . 2008-04-14 00:12:07 171,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\srsvc.dll.vir
2009-03-13 10:14:53 . 2009-03-14 02:54:42 1,334 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-11-07 12:03:18 . 2007-11-07 12:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir
2004-08-12 14:02:01 . 2008-04-14 00:12:01 198,144 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\netman.dll.vir
2004-08-12 13:56:36 . 2008-04-14 00:11:51 62,464 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cryptsvc.dll.vir

#26 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 08 September 2011 - 02:01 PM

Hello El Kabong

Please do the following:

  • Please work through the following steps


    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

      DeQuarantine::
      C:\Qoobox\Quarantine\C\Program Files\Steam\Steam.exe.vir
      Quit::


    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      Posted Image

    • When finished, it shall produce a log for you which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

  • Next


    • Navigate to the following:

    C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg.dat

    • Manually remove the ".dat" extension so that the file becomes C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg
    • Once you have done this, double click on C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Steam.reg
    • If you are asked if you want to merge the contents with the registry, please consent.

  • Temporary File Cleaner


    • Download TFC to your desktop.
    • Close any open windows.
    • Double click the TFC icon to run the program.
    • TFC will close all open programs itself in order to run.
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish.
    • Once complete it should automatically reboot your machine.
    • If your machine does not reboot automatically, manually reboot to ensure a complete clean.
    • Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.

  • MalwareBytes AntiMalware:


    • I can see that you have MBAM installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.


    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  • Please run the following scan


    • Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.


    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.


    • Check Posted Image
    • Click the Posted Image button.
    • Accept any security warnings from your browser.
    • Check Posted Image
    • Make sure that the option to "Remove Found Threats" is UN checked.
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push Posted Image
    • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the Posted Image button.
    • Push Posted Image

    Post the ComboFix log, the MBAM log and the ESET log in your next reply and let me know how the machine is running now.

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#27 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 09 September 2011 - 04:21 AM

Hi JonTom.

All steps completed. After combofix had not Web access, so had to reboot. Shutdown after TFC extremely long. Everything else went smoothly.

As far as system performance goes.... I'm still getting Bad Image errors, most notably when launching IE - (iexplore - Bad Image, The application or DLL C:\WINDOWS\appPatch\acLayers.DLL is not a valid WIndows image. Please check this against your installation diskette). If I click OK it launches normally.

I still can't run more of my programs/software - the exe icons in the start menu are still 'altered'. Maybe eventually I'll have to re-install everything? This includes my system tools (Restore,System Info, etc..) (Help and Support Error - Windows cannot o-pen Help and Support because a system service is not running. To fix this problem, start the service named 'Help and Support').

Other than that... It looks good. :)

Here are the Scans and logs.

Combofix Log: (DeQuarantine)

C:\Qoobox\Quarantine\C\Program Files\Steam\Steam.exe.vir -> C:\Program Files\Steam\Steam.exe ( 1242448 bytes )



MBAM Log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7680

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/8/2011 8:18:59 PM
mbam-log-2011-09-08 (20-18-59).txt

Scan type: Quick scan
Objects scanned: 219156
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETScan:

C:\Documents and Settings\Mark\My Documents\Downloads\Assassins.Creed.II-SKIDROW\sr-acii.iso a variant of Win32/Packed.VMProtect.AAA trojan

#28 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 09 September 2011 - 11:55 AM

Hello El Kabong

Thank you for working through those steps (Steam should be restored now).

Maybe eventually I'll have to re-install everything?

That is always an option we have at our disposal, but I don't give up that easily :boxing:

Lets take care of the ESET detection:

  • Please download OTM


    • Please download OTM by OldTimer by clicking here.
    • Save the file (called OTM.exe) to your desktop.
    • Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :Processes 
    explorer.exe
    
    :Files
    C:\Documents and Settings\Mark\My Documents\Downloads\Assassins.Creed.II-SKIDROW\sr-acii.iso
    
    
    :Commands
    [Purity]
    [EmptyTemp]
    [Emptyflash]
    [Start Explorer]
    [Reboot]
    
    




    • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM.
    • Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Help and Support Error


    • Lets try and address the help and support error with the following.
    • Click on "Start" and then on "Run".
    • Type (or copy/paste) the text in bold into the Run box, then click on OK

    Services.msc

    • A window will open.
    • Double click on "Help and Support".
    • In the window that appears, set the Startup type to "Automatic".
    • Click on OK and close the remaing windows.

    Please post the OTM log in your next reply, let me know if you are still getting the bad image error messages, and if you are now able to open your programs.

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#29 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 09 September 2011 - 07:49 PM

Hi JonTom.

Not good news I'm afraid. The OTM move seemed to (see log below), but the incorporated [reboot] in the script didn't happen. In fact, windows was stuck in 'shut down' for hours. Had to cold reboot.

Also, there was no 'Help and Support' in Services.msc... there's a helpsvc (whose setup is already top automatic)? I didn't touch anything in any case.

Still getting Bad Image Errors (at least when launching IE).

Still cannot run most programs... :(

Attempting other restart... without cold reset

OTM LOG:


All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\Mark\My Documents\Downloads\Assassins.Creed.II-SKIDROW\sr-acii.iso moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Mark
->Temp folder emptied: 977470 bytes
->Temporary Internet Files folder emptied: 7648793 bytes
->FireFox cache emptied: 41403012 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Mark C
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 90 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 48.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09092011_181429

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#30 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 10 September 2011 - 05:16 PM

Hello El Kabong

Lets try to get your programs running again and then run a different system scan to try and pin down the source of the error messages:

  • SREng


    • Download SREng from here.
    • Extract it to Desktop and double click SREngLdr.EXE to run it (NOTE: you may need to rename it it IEXPLORE.EXE to get it to run or SREng.com)
    • Select System Repair from the left pane.
    • Click on File Association.
    • Select all entries that have an Error status and click on [Repair].
    • Refer to this image for an example:

      Posted Image
    • Close SREng now.

  • Junction


    • Please download Junction.zip by clicking here and save it to your desktop.
    • Unzip it and extract junction.exe to your C:\ drive.
    • Once junction.exe has been extracted, copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad:

    @ECHO OFF
    cd c:\
    junction -s c:\>log.txt
    start log.txt
    del %0
    

    • Save it to your desktop as File name: junc.bat
    • Save as type: All Files
    • Double click junc.bat to run it.
    • A log will be presented. Copy and paste the content of the log in your next reply.

  • Download and run OTL by Oldtimer


    • Please download OTL by Oldtimer by clicking here and save the file (called OTL.exe) to your desktop.
    • Close all open windows on your computer then Double click on the OTL.exe icon to run the program.
    • Check the boxes beside "LOP Check" and "Purity Check".
    • Under Custom Scan paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.līk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop

    • Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.

    • When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
    • Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.

  • Rootkit Unhooker


    • Please Download Rootkit Unhooker and Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • Save the report somewhere where you can find it. Click Close.

    Copy the entire contents of the report and paste it in your next reply here.
    Note: You may get the following warning, just click OK and continue.

    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"


    Please post the junction log, the OTL logs and the Rootkit Unhooker log in your next reply (you may need to make more than one post to fit all of the information in).

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#31 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 10 September 2011 - 07:10 PM

Hi JonTom.
Whew... That was quite a list
Here we go!

Junction Log:

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.


...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



OTL LOG:

OTL logfile created on: 9/10/2011 7:38:39 PM - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 82.10% Memory free
4.84 Gb Paging File | 4.53 Gb Available in Paging File | 93.49% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 596.16 Gb Total Space | 205.16 Gb Free Space | 34.41% Space Free | Partition Type: NTFS

Computer Name: MARKC | User Name: Mark | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/10 19:36:41 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
PRC - [2011/09/06 16:45:30 | 003,722,416 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/03/21 14:56:16 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/05/20 14:34:30 | 012,026,216 | ---- | M] (GARMIN Corp.) -- C:\Program Files\Garmin\ANT Agent\ANT Agent.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/18 15:36:24 | 001,629,480 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2008/02/18 15:36:14 | 001,553,704 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2008/02/18 15:36:04 | 001,057,064 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe


========== Modules (No Company Name) ==========

MOD - [2011/09/10 16:05:04 | 001,560,576 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11091002\algo.dll
MOD - [2011/09/10 14:48:23 | 000,208,544 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11091002\aswRep.dll
MOD - [2011/03/21 14:57:34 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/03/21 14:56:16 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2010/01/21 02:34:10 | 008,793,952 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/01/09 21:18:18 | 004,254,560 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2009/04/27 12:55:12 | 000,678,400 | ---- | M] () -- C:\Program Files\IZArc\IZArcCM.dll
MOD - [2008/12/25 12:08:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NeroRegInCDSrv)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/01/21 18:51:12 | 030,963,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2009/07/26 07:43:14 | 000,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2008/04/13 20:12:09 | 000,144,896 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/13 20:12:08 | 000,068,096 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2008/04/13 20:12:05 | 000,039,424 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\sens.dll -- (SENS)
SRV - [2008/04/13 20:12:05 | 000,018,944 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/13 20:11:53 | 000,023,040 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)
SRV - [2008/02/18 15:36:14 | 001,553,704 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2007/11/17 19:41:46 | 000,598,016 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM)) ForceWare Intelligent Application Manager (IAM)
SRV - [2007/11/17 19:40:20 | 000,159,744 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp)


========== Driver Services (SafeList) ==========

DRV - [2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/09/06 16:36:23 | 000,110,552 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/09/06 16:33:11 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/02/24 06:22:10 | 000,185,472 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\acedrv11.sys -- (acedrv11)
DRV - [2010/01/17 15:18:30 | 000,691,696 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/08/18 19:54:00 | 000,145,952 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvgts.sys -- (nvgts)
DRV - [2008/04/13 14:40:10 | 000,080,128 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\parport.sys -- (Parport)
DRV - [2008/02/18 15:36:14 | 000,038,312 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2008/02/18 15:36:14 | 000,036,648 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2008/02/18 15:36:04 | 000,118,952 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2008/01/30 12:28:36 | 004,725,760 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/11/17 19:43:56 | 000,022,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2007/11/17 19:43:46 | 000,054,016 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/de...aspx?lang=fr-ca
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-i3752"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-i3752"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1374
FF - prefs.js..extensions.enabledItems: avg@igeared:7.005.030.004
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.3.0244
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..keyword.URL: "http://search.avg.co...a&lng=en-US&q="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@zylom.com/ZylomGamesPlayer: C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll (Zylom)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2011/06/24 10:26:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/09/10 18:03:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/11 16:10:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/02 18:47:31 | 000,000,000 | ---D | M]

[2009/03/13 22:17:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2011/09/02 20:37:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\extensions
[2010/09/25 17:46:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/23 22:18:47 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/04/04 17:39:00 | 000,002,059 | ---- | M] () -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\gvk0n3rj.default\searchplugins\daemon-search.xml
[2011/06/11 16:10:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/10 18:03:15 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/06/24 10:26:01 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/07/02 11:19:28 | 000,102,400 | ---- | M] (Zylom) -- C:\Program Files\mozilla firefox\plugins\npzylomgamesplayer.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/09/05 18:11:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKCU..\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT Agent.exe (GARMIN Corp.)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\nvappfilter.dll (NVIDIA)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{752F14E1-309A-4B3D-879C-E7572779E215}: DhcpNameServer = 192.168.2.1 192.168.2.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/04 10:45:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: ERSvc - C:\WINDOWS\system32\ersvc.dll ()
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Seclogon - C:\WINDOWS\system32\seclogon.dll ()
NetSvcs: SENS - C:\WINDOWS\system32\sens.dll ()
NetSvcs: WmdmPmSp - File not found
NetSvcs: winmgmt - C:\WINDOWS\system32\wbem\wmisvc.dll ()

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2011/09/10 19:36:32 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2011/09/10 19:26:45 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\junction.exe
[2011/09/10 19:24:48 | 001,895,960 | ---- | C] (Smallfrogs Studio) -- C:\Documents and Settings\Mark\Desktop\SREngLdr.EXE
[2011/09/09 18:14:29 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/09/09 18:13:00 | 000,522,752 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTM.exe
[2011/09/08 20:32:24 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/09/08 19:09:00 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\TFC.exe
[2011/09/08 18:41:35 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2011/09/08 18:39:57 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/08 18:38:41 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/09/07 20:46:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/09/04 11:17:41 | 004,200,409 | R--- | C] (Swearware) -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2011/09/02 21:04:02 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Mark\Desktop\HijackThis.exe
[2011/09/02 19:10:25 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Mark\Desktop\dds.scr
[2011/09/02 18:47:23 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/09/02 18:45:20 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/30 20:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Google
[2011/08/30 20:48:43 | 000,320,856 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/08/30 20:48:43 | 000,020,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/08/30 20:48:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\avast! Free Antivirus
[2011/08/30 20:48:42 | 000,442,200 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/08/30 20:48:42 | 000,110,552 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/08/30 20:48:42 | 000,104,536 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/08/30 20:48:42 | 000,052,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/08/30 20:48:42 | 000,034,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/08/30 20:48:42 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/08/30 20:47:42 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/08/30 20:47:42 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/08/30 20:47:37 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/08/30 20:47:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVAST Software
[2011/08/29 22:16:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Malwarebytes
[2011/08/29 22:15:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/08/29 22:15:51 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/08/29 22:15:50 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/29 22:15:50 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/08/29 22:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2011/08/29 20:01:01 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/08/29 19:56:54 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/29 19:56:54 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/29 19:56:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/29 19:56:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/08/29 19:56:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/29 19:55:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Mark\Start Menu\Programs\Administrative Tools

========== Files - Modified Within 30 Days ==========

[2011/09/10 19:36:41 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2011/09/10 19:28:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/10 19:26:21 | 000,079,623 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Junction.zip
[2011/09/10 19:24:18 | 000,676,536 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\sreng2.zip
[2011/09/10 18:05:25 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/10 18:05:14 | 000,249,324 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/09/10 18:05:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/10 18:03:16 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/09/09 20:34:28 | 000,013,708 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/09 18:13:07 | 000,522,752 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTM.exe
[2011/09/08 19:09:07 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\TFC.exe
[2011/09/08 18:16:24 | 004,200,409 | R--- | M] (Swearware) -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2011/09/06 16:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/09/06 16:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/09/06 16:38:05 | 000,442,200 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/09/06 16:37:53 | 000,320,856 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/09/06 16:36:38 | 000,034,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/09/06 16:36:36 | 000,052,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/09/06 16:36:23 | 000,110,552 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/09/06 16:36:20 | 000,104,536 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/09/06 16:36:12 | 000,020,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/09/06 16:33:11 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/09/06 05:05:02 | 001,384,962 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\tdsskiller.zip
[2011/09/05 18:11:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/05 10:50:30 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/04 13:57:12 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2011/09/03 13:21:20 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\Mark\defogger_reenable
[2011/09/03 13:18:52 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Defogger.exe
[2011/09/02 21:04:06 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Mark\Desktop\HijackThis.exe
[2011/09/02 19:10:56 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Mark\Desktop\dds.scr
[2011/09/02 18:47:31 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Adobe Reader 9.lnk
[2011/09/02 18:45:20 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/30 20:48:43 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2011/08/29 22:15:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/29 20:01:05 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2011/08/24 03:00:16 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/23 19:19:41 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Chrome.lnk

========== Files Created - No Company Name ==========

[2011/09/10 19:26:21 | 000,079,623 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Junction.zip
[2011/09/10 19:24:10 | 000,676,536 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\sreng2.zip
[2011/09/06 05:04:40 | 001,384,962 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\tdsskiller.zip
[2011/09/04 13:57:11 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2011/09/03 13:40:49 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.exe
[2011/09/03 13:21:15 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\Mark\defogger_reenable
[2011/09/03 13:18:52 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Defogger.exe
[2011/08/30 20:48:43 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\avast! Free Antivirus.lnk
[2011/08/29 22:15:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/08/29 20:01:05 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2011/08/29 20:01:02 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/08/29 19:56:54 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/29 19:56:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/29 19:56:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/29 19:56:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/29 19:56:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/11 18:59:14 | 000,036,140 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2011/06/11 18:59:09 | 000,094,208 | ---- | C] () -- C:\WINDOWS\DIIUnin.exe
[2010/10/14 02:36:44 | 000,179,263 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2010/02/24 06:22:10 | 000,185,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\acedrv11.sys
[2009/12/02 18:32:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/02 18:32:33 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/17 03:04:24 | 002,173,472 | ---- | C] () -- C:\WINDOWS\System32\nvcplui.exe
[2009/08/17 00:57:00 | 001,597,690 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/03/15 19:37:40 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/03/13 22:55:01 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/03/13 22:54:47 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2009/03/13 22:54:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2009/03/13 22:17:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/03/13 22:11:26 | 000,003,636 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/03/13 22:10:45 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/03/13 22:05:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/03/13 22:01:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/03/13 22:01:01 | 000,538,624 | ---- | C] () -- C:\WINDOWS\System32\spider.exe
[2009/03/13 15:46:10 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/03/13 15:45:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\notepad.exe
[2009/03/13 15:43:35 | 000,269,392 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/25 12:08:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/25 12:08:00 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/12/25 12:08:00 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/25 12:08:00 | 001,346,080 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/12/25 12:08:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/25 12:08:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/25 12:08:00 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/12/25 12:08:00 | 000,432,672 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2004/08/12 10:11:42 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/12 10:11:41 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/12 10:09:06 | 000,068,096 | ---- | C] () -- C:\WINDOWS\System32\webclnt.dll
[2004/08/12 10:06:43 | 000,121,856 | ---- | C] () -- C:\WINDOWS\System32\stobject.dll
[2004/08/12 10:04:54 | 000,039,424 | ---- | C] () -- C:\WINDOWS\System32\sens.dll
[2004/08/12 10:04:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/12 10:04:51 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\seclogon.dll
[2004/08/12 10:03:49 | 000,034,304 | ---- | C] () -- C:\WINDOWS\System32\pstorsvc.dll
[2004/08/12 10:03:48 | 000,096,768 | ---- | C] () -- C:\WINDOWS\System32\psbase.dll
[2004/08/12 10:03:21 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/12 10:03:20 | 000,435,682 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/12 10:03:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/12 10:03:19 | 000,068,578 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/12 10:02:47 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\oakley.dll
[2004/08/12 10:02:25 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/12 09:59:52 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/12 09:59:46 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/12 09:58:13 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ipsecsvc.dll
[2004/08/12 09:57:15 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\ersvc.dll
[2004/08/12 09:57:10 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/12 09:57:10 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\dssenh.dll
[2004/08/12 09:56:49 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\ddraw.dll
[2004/08/12 09:56:48 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\dciman32.dll
[2004/08/12 09:56:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/12 09:56:46 | 001,689,088 | ---- | C] () -- C:\WINDOWS\System32\d3d9.dll
[2004/08/12 09:56:00 | 000,194,560 | ---- | C] () -- C:\WINDOWS\System32\certcli.dll
[2004/08/12 09:55:53 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\batmeter.dll
[2004/08/03 18:59:08 | 000,080,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\parport.sys

========== LOP Check ==========

[2011/08/30 20:47:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVAST Software
[2010/01/19 00:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\BioWare
[2011/02/09 20:45:01 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Common Files
[2010/01/17 15:18:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\DAEMON Tools Lite
[2009/03/14 16:25:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Electronic Arts
[2009/09/23 21:26:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fallout3
[2010/06/14 19:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GARMIN
[2011/02/09 18:54:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2011/02/21 19:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ubisoft
[2011/03/23 18:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Zylom
[2010/06/21 18:58:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/01/17 15:21:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\DAEMON Tools Lite
[2011/06/24 10:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\DDMSettings
[2010/06/14 19:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\GARMIN
[2010/12/07 19:27:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\ProtectDISC
[2011/02/21 19:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Ubisoft

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/03/04 10:45:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/01/18 18:39:38 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2011/08/29 20:01:05 | 000,000,339 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2009/03/04 10:45:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/09/08 18:41:37 | 000,000,113 | ---- | M] () -- C:\DeQuarantine.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2009/03/04 10:45:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/09/07 15:39:20 | 000,150,392 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\junction.exe
[2011/09/10 19:35:22 | 000,002,620 | ---- | M] () -- C:\log.txt
[2009/03/04 10:45:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/12 10:02:33 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/06/03 21:33:15 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/09/10 18:04:55 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2011/09/06 05:06:35 | 000,036,678 | ---- | M] () -- C:\TDSSKiller.2.5.18.0_06.09.2011_05.05.35_log.txt
[2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/03/13 22:03:32 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2011/09/06 16:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/03/13 15:25:04 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2009/03/13 15:25:04 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2009/03/13 15:25:03 | 000,913,408 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.līk /x >
[2010/06/03 21:36:05 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\desktop.ini
[2010/06/03 21:36:05 | 000,001,563 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Set Program Access and Defaults.lnk
[2009/03/13 22:03:57 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Windows Catalog.lnk
[2009/03/13 22:03:57 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-08-24 07:00:17


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/12 09:57:20 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2011/09/10 19:36:44 | 000,018,954 | ---- | M] () MD5=B24EB1B793D133654ED6E3029C67A4F4 -- C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/12 09:57:20 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: EXPLORER.ZIP >
[2009/06/03 21:15:06 | 000,020,394 | ---- | M] () MD5=B469409C2B2A33C542190B720E11BD79 -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip

< MD5 for: IEXPLORE.CHM >
[2004/08/12 09:58:01 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie7\iexplore.chm
[2006/09/01 09:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- C:\WINDOWS\Help\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2010/12/20 07:25:27 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=091D358EFC9D22901BD879EF37F0DAC4 -- C:\WINDOWS\ie7updates\KB2497640-IE7\iexplore.exe
[2010/06/17 11:12:57 | 000,634,656 | ---- | M] (Microsoft Corporation) MD5=203E897F843D56496E2CC101DFF6CE34 -- C:\WINDOWS\ie7updates\KB2360131-IE7\iexplore.exe
[2011/04/21 06:34:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=3E23DBEBE1020D52C63235E4189FAC03 -- C:\WINDOWS\$hf_mig$\KB2530548-IE7\SP3QFE\iexplore.exe
[2009/10/28 02:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- C:\WINDOWS\ie7updates\KB978207-IE7\iexplore.exe
[2009/10/28 02:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- C:\WINDOWS\SoftwareDistribution\Download\a5fdd8607ddaffd55aa72ce1ea06b42c\SP3GDR\iexplore.exe
[2009/12/18 09:05:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=53C291F3B01EECECBD7FD358EA3ACC94 -- C:\WINDOWS\ie7updates\KB980182-IE7\iexplore.exe
[2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2010/10/18 07:07:43 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=72D1F43C4146D312B0DB6AB98C21340E -- C:\WINDOWS\ie7updates\KB2482017-IE7\iexplore.exe
[2009/10/28 02:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- C:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[2009/10/28 02:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- C:\WINDOWS\SoftwareDistribution\Download\a5fdd8607ddaffd55aa72ce1ea06b42c\SP3QFE\iexplore.exe
[2011/06/20 07:29:11 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=993F33696EF219C306BF9BBA34D85073 -- C:\Program Files\Internet Explorer\iexplore.exe
[2011/06/20 07:29:11 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=993F33696EF219C306BF9BBA34D85073 -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2010/06/17 10:45:15 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B0BC6DC9C9277250C5C8F7B7A48A02CC -- C:\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
[2010/04/16 07:08:29 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B24A4E23A2FEDB6976EB04D334AD82B2 -- C:\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[2010/02/23 01:20:02 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B5116340B84824DDD0A641E36B126194 -- C:\WINDOWS\ie7updates\KB982381-IE7\iexplore.exe
[2011/04/21 06:58:25 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B6E13F9C120C776A89D783E26D6C15C5 -- C:\WINDOWS\ie7updates\KB2559049-IE7\iexplore.exe
[2010/12/20 06:49:55 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=B74CBEBA34E3CAA2CCACC87FEE8A16C0 -- C:\WINDOWS\$hf_mig$\KB2482017-IE7\SP3

#32 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 11 September 2011 - 02:45 PM

Hello El Kabong

Thank you for the logs.

I would like to see a little extra information if I may:

  • aswMBR


  • Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.

Posted Image

  • On completion of the scan click save log, save it to your desktop and post in your next reply.

Posted Image

Please post the log in your next reply :)

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#33 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 11 September 2011 - 04:47 PM

Hi JonTom. Thanks for all this.

Here is the aswMBR log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-11 17:14:30
-----------------------------
17:14:30.187 OS Version: Windows 5.1.2600 Service Pack 3
17:14:30.187 Number of processors: 4 586 0x170A
17:14:30.187 ComputerName: MARKC UserName: Mark
17:14:31.796 Initialize success
17:14:32.312 AVAST engine defs: 11091100
17:14:41.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0
17:14:41.203 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
17:14:41.203 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7ef740e
17:14:41.234 Disk 0 MBR read successfully
17:14:41.234 Disk 0 MBR scan
17:14:41.234 Disk 0 Windows XP default MBR code
17:14:41.234 Disk 0 scanning sectors +1250242560
17:14:41.265 Disk 0 scanning C:\WINDOWS\system32\drivers
17:14:46.593 Service scanning
17:14:47.687 Modules scanning
17:16:41.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\MBR.dat"
17:16:41.968 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-11 17:17:29
-----------------------------
17:17:29.343 OS Version: Windows 5.1.2600 Service Pack 3
17:17:29.343 Number of processors: 4 586 0x170A
17:17:29.343 ComputerName: MARKC UserName: Mark
17:17:30.953 Initialize success
17:17:31.000 AVAST engine defs: 11091100
17:17:35.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0
17:17:35.843 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
17:17:35.843 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b7ef740e
17:17:35.875 Disk 0 MBR read successfully
17:17:35.875 Disk 0 MBR scan
17:17:35.875 Disk 0 Windows XP default MBR code
17:17:35.875 Disk 0 scanning sectors +1250242560
17:17:35.921 Disk 0 scanning C:\WINDOWS\system32\drivers
17:17:40.187 Service scanning
17:17:40.984 Modules scanning
17:19:43.359 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
17:19:43.359 Disk 0 trace - called modules:
17:19:43.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
17:19:43.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac5d728]
17:19:43.390 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000062[0x8ac5e880]
17:19:43.390 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts2Port3Path0Target0Lun0[0x8ac5ea38]
17:19:44.656 AVAST engine scan C:\WINDOWS
17:19:55.828 AVAST engine scan C:\WINDOWS\system32
17:21:15.546 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:31.781 AVAST engine scan C:\Documents and Settings\Mark
17:34:26.687 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
17:35:35.812 Scan finished successfully
17:45:48.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\MBR.dat"
17:45:48.671 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\aswMBR.txt"

#34 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 12 September 2011 - 02:18 AM

Hello El Kabong

Lets take a closer look at that file being flagged by aswMBR:


  • SystemLook by JPShortstuff


  • Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
  • Double click SystemLook.exe to run the program.
  • Copy the content of the following codebox into the main textfield:

:filefind
*ntdll.dll*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt

You mentioned that you are still having difficulty running some programs:

I still can't run more of my programs/software - the exe icons in the start menu are still 'altered'

Please let me know which programs are altered and exactly what happens when you try to run them.

Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#35 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 12 September 2011 - 04:28 AM

Hi JonTom.

A variety of program icons are altered and will do different things.

For example:
Trying to run System Restore will result in a rstui.exe - bad image error (c:\WINDOWS\system32\DDRAW.dll), but it will still run
Trying to run System Information - GIves me a Help and SUpport error - Help and Support not runnning
Internet Explorer - Bad Image Error, but opens to homepage, but certain pages seem to be blocked (ie/ trying to navigate to Hotmail results in - Security Alert - you are about to view pages over a secure network, etc.. and then Cannot view this Page)
Trying to run Pinball (system game) - A black cmd box appears for a couple of seconds then disappears and... nothing
Most other programs - Nothing happens at all

Google Earth
Quicktime
ALL MS Office tools
All installed game software
more..


SYSTEMLOOK LOG:

SystemLook 30.07.11 by jpshortstuff
Log created at 05:03 on 12/09/2011 by Mark
Administrator - Elevation successful

========== filefind ==========

Searching for "*ntdll.dll*"
C:\cmdcons\SYSTEM32\NTDLL.DLL --a---- 708096 bytes [04:56 04/08/2004] [04:56 04/08/2004] BB5CBFFC096497506167BCE1D9690EF2
C:\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntdll.dll --a---- 718336 bytes [05:34 09/02/2011] [15:15 09/12/2010] 15CE4DBC22FAB90B3CA5352AF1FFF81C
C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\ntdll.dll --a---- 715264 bytes [22:11 12/06/2009] [10:01 09/02/2009] 2F868BFFBF50524653D7FE0D99AFB064
C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\ntdll.dll --a---- 714752 bytes [22:11 12/06/2009] [12:10 09/02/2009] 911DDF2E16761643A47225F654D811E5
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntdll.dll --a---- 715264 bytes [22:11 12/06/2009] [10:56 09/02/2009] B0913005EE3FC15D7F72472D0B8A30EB
C:\WINDOWS\$NtServicePackUninstall$\ntdll.dll -----c- 714752 bytes [01:32 04/06/2010] [10:20 09/02/2009] C06986B55981B355090DD34DE809E4BB
C:\WINDOWS\$NtUninstallKB2393802$\ntdll.dll -----c- 714752 bytes [08:00 09/02/2011] [12:10 09/02/2009] 911DDF2E16761643A47225F654D811E5
C:\WINDOWS\$NtUninstallKB956572$\ntdll.dll -----c- 706048 bytes [01:38 04/06/2010] [00:11 14/04/2008] 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F
C:\WINDOWS\$NtUninstallKB956572_0$\ntdll.dll -----c- 708096 bytes [02:47 13/06/2009] [14:02 12/08/2004] BB5CBFFC096497506167BCE1D9690EF2
C:\WINDOWS\ServicePackFiles\i386\ntdll.dll ------- 706048 bytes [00:11 14/04/2008] [00:11 14/04/2008] 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F
C:\WINDOWS\system32\ntdll.dll --a---- 718336 bytes [14:02 12/08/2004] [15:15 09/12/2010] F8F0D25CA553E39DDE485D8FC7FCCE89
C:\WINDOWS\system32\dllcache\ntdll.dll -----c- 718336 bytes [22:11 12/06/2009] [15:15 09/12/2010] F8F0D25CA553E39DDE485D8FC7FCCE89

-= EOF =-

#36 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 12 September 2011 - 04:47 PM

Hello El Kabong

I have been in touch with a number of malware experts about your machine and the problems it has.

The file being flagged by aswMBR appear to be legitimate.

I hate to say it, but I feel we may be fighting a loosing battle here :( This machine was heavily infected when you ran ComboFix the first time. Several system files were patched by malware, and after replacing them with clean copies your issues persist.


The Cryptography service on your machine are not working correctly and I am unable to pin down exactly why your installed program are unable to launch. Use of both SREng and Junction failed to provide a solution.


Considering the numerous problems that this machine has I believe the best way forward at this point would be to back up all of your important data and then try the following.

First, uninstall XP SP3 and then try a re-install using the instructions provided here (download the .iso file and make it into a disk): http://www.microsoft...s.aspx?id=25129

If you have problems uninstalling SP3 there is additional information provided here: http://support.microsoft.com/kb/950249


If this approach does not relieve the symptoms, I would then suggest a repair install (which will not remove any of your data).

If the repair install does not help then the best course of action would be (in my opinion) to perform a reformat and reinstallation of your Windows operating system.

I realise that this is not what you would like to hear, but considering the present state of the machine the above approaches are the best ones to take at this time.
Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#37 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 12 September 2011 - 06:13 PM

HI JonTom. Well, that's not good news, but I thank you for the effort! Would a System Restore do any good? I mean, right now is my PC 'clean', or can you even tell? I've seen a number of XP exe file association 'fixers'... Any use in trying one of those?

#38 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 13 September 2011 - 01:39 AM

Hello El kabong

I mean, right now is my PC 'clean', or can you even tell?

Even though we have dealt with everything that the online scan has detected, bad image error messages can sometimes be related to malware. A system restore is worth a try - give it a go and see what happens.

I've seen a number of XP exe file association 'fixers'... Any use in trying one of those?

SREng is designed to fix file association problems. I provided you with instructions to use it. If you ran it and the problems were not fixed then it is unlikely that the problems with opening your software are related to broken file asociations. You could always try re-installing the software concerned but I am not convinced that this would solve the bad image error messages that you are receiving.
Member of ASAP and UNITE
Proud Graduate of the WTT Classroom

#39 El Kabong

El Kabong

    Member

  • Members
  • 26 posts

Posted 15 September 2011 - 05:29 PM

Thanks for everything JonTom. Tried a System Restore, but System Restore doesn't work. Couldn't fix SP3... So it's onto an attempted System Repair, and then I suspect the dreaded Format and start from scratch! Thanks again Elk

#40 JonTom

JonTom

    Trusted Malware Tech

  • Trusted Malware Techs
  • 2,999 posts
  • Gender:Male
  • Location:UK


Posted 16 September 2011 - 02:08 AM

Hello El Kabong

Do back up all of your important stuff before going for the repair install or R+R.

Lets me know how you get on (and Good Luck) :)

JonTom
Member of ASAP and UNITE
Proud Graduate of the WTT Classroom




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users