Europol virus - Hitman Pro kickstart

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Hi, please help
I have followed Stelian Pellices advice on Malawaretip.com forum and downloaded Hitman Pro kickstart. Pressing F12 enables me to boot via USB but I cannot actually boot up. The screen shows 3 options, default option 1 is "Bypass Master Boot Record" but Enter key does not work, no keys work so I cannot progress.
I'd be very grateful for any advice
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips!

Please print these instruction out so that you know what you are doing
  • Download OTLPE to your desktop
  • Download Farbar Recovery Scan Tool and save it to a flash drive.
  • Ensure that you have a blank CD in the drive
  • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
  • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Wait for the CD to detect your hardware and load the operating system
  • Your system should now display a Reatogo desktop
    Note : as you are running from CD it is not exactly speedy
  • Insert the USB with FRST
  • Locate the flash drive with FRST and double click
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Thanks Fiery
FRST.txt file copied below

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-04-2013
Ran by SYSTEM on 25-04-2013 10:25:41
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet003

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent [x]
HKLM\...\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe" [32768 2005-07-25] ()
HKLM\...\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe [77824 2006-03-23] (Intel Corporation)
HKLM\...\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation)
HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [112216 2006-11-30] (McAfee, Inc.)
HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey [136768 2006-11-17] (McAfee, Inc.)
HKLM\...\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [1836328 2007-09-20] (Nero AG)
HKLM\...\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide [866584 2006-11-03] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM\...\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent [2060288 2008-03-13] (Vodafone)
HKLM\...\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [185896 2006-09-28] (Nuance Communications, Inc.)
HKLM\...\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [75304 2006-10-11] (ScanSoft, Inc.)
HKLM\...\Run: [KASHPNC99987954614232346] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [409600 2012-03-21] (Kaseya International Limited)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1468256 2009-11-05] (Microsoft Corporation)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2516296 2010-03-24] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon [1185112 2010-04-02] (CANON INC.)
HKLM\...\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2010-03-02] (CANON INC.)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2011-11-12] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [syshost32] C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe [149504 2013-03-29] ()
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe, [x]
HKLM\...\Winlogon: [System]
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKU\Admin\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\Administrator\...\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" [x]
HKU\administrator.WATERMANASPEN\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\chamilton\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\chamilton\...\Run: [\\WARRINGTONPC.watermanaspen.co.uk\EPSON Stylus DX9400F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFE.EXE /FU "C:\DOCUME~1\CHAMIL~1\LOCALS~1\Temp\E_S88.tmp" /EF "HKCU" [ 2008-11-03] ()
HKU\ddavidson\...\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler [ 2007-03-29] (Macrovision Corporation)
HKU\ddavidson\...\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart [x]
HKU\Default User\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\Default User\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2004-10-13] (Microsoft Corporation)
HKU\Default User\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Default User\...\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe" [x]
HKU\dmatheson\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\dmatheson\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2004-10-13] (Microsoft Corporation)
HKU\dmatheson\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Donnie\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\Donnie\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [ 2004-10-13] (Microsoft Corporation)
HKU\Donnie\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Donnie\...\Run: [{2A2DB62D-8D02-BE06-7552-60540CE0DA6B}] C:\Documents and Settings\Donnie\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\debug.exe [ 2004-08-04] ()
HKU\Donnie\...\Run: [Yahoo] RunDLL32.exe "C:\Documents and Settings\Donnie\Local Settings\Application Data\Yahoo\nlqvmaix.dll",MapLDAPTypeToADSType [x]
HKU\Donnie\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Donnie\Application Data\skype.dat [x]
HKU\kefag\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\sparelaptop\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [x]
HKU\sparelaptop\...\Run: [\\warringtonpc\EPSON Stylus DX9400F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFE.EXE /FU "C:\DOCUME~1\SPAREL~1\LOCALS~1\Temp\E_S70.tmp" /EF "HKCU" [ 2008-12-05] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\ddavidson\Start Menu\Programs\Startup\Connection to Waterman HQ.lnk
ShortcutTarget: Connection to Waterman HQ.lnk -> C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe (SonicWALL, Inc.)
Startup: C:\Documents and Settings\ddavidson\Start Menu\Programs\Startup\Microsoft Office Outlook.lnk
ShortcutTarget: Microsoft Office Outlook.lnk -> C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\Donnie\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> B:\Documents and Settings\Default User\Application Data\Dropbox\bin\Dropbox.exe (No File)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 gtdetectsc; C:\WINDOWS\system32\gtdetectsc.exe [122880 2006-09-28] (OptionNV)
S2 KAPNC99987954614232346; C:\Program Files\Kaseya\Agent\AgentMon.exe [847872 2012-06-07] (Kaseya International Limited)
S2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [104000 2006-11-17] (McAfee, Inc.)
S2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [144960 2006-11-30] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [54872 2006-11-30] (McAfee, Inc.)
S2 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [66872 2008-07-27] ()
S2 PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [103736 2008-07-27] ()
S3 RampartSvc; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe [131072 2004-10-15] (SonicWALL, Inc.)
S2 VMCService; C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [24576 2008-03-13] (Vodafone)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13592 2006-11-03] (Microsoft Corporation)
S2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [438272 2008-04-30] (RealVNC Ltd.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2007-06-15] (Avanquest Software)
S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [147236 2004-05-14] (Deterministic Networks, Inc.)
S0 e48c6df33eed4299; C:\Windows\System32\Drivers\e48c6df33eed4299.sys [61312 2013-03-29] ()
S3 EMSCR; C:\Windows\System32\DRIVERS\EMS7SK.sys [61568 2006-07-13] (ENE Technology Inc.)
S3 ESDCR; C:\Windows\System32\DRIVERS\ESD7SK.sys [40064 2006-07-13] (ENE Technology Inc.)
S3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc. )
S3 G3GRUMDM; C:\Windows\System32\DRIVERS\g3grumdm.sys [27648 2005-06-10] (Option N.V.)
S3 G3GRUSER; C:\Windows\System32\DRIVERS\g3gruser.sys [24064 2005-06-10] (Option N.V.)
S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [138752 2005-01-07] (Windows (R) Server 2003 DDK provider)
S1 Hotkey; C:\Windows\System32\Drivers\Hotkey.sys [9867 2003-04-28] ()
S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1166972 2006-03-23] (Intel Corporation)
S3 KAPFA; C:\WINDOWS\system32\drivers\KAPFA.SYS [17920 2011-06-23] (Kaseya)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [64360 2006-11-30] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [72264 2006-11-30] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [34152 2006-11-30] (McAfee, Inc.)
S3 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [168776 2006-11-30] (McAfee, Inc.)
S1 mferkdk; C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [31944 2006-11-30] (McAfee, Inc.)
S1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [52136 2006-11-30] (McAfee, Inc.)
S3 n558; C:\Windows\System32\Drivers\n558.sys [9600 2007-08-15] ()
S3 NETw3x32; C:\Windows\System32\DRIVERS\NETw3x32.sys [1709696 2006-09-26] (Intel® Corporation)
S3 odysseyIM4; C:\Windows\System32\DRIVERS\odysseyIM4.sys [173056 2005-06-10] (Funk Software, Inc.)
S1 RCFOX; C:\WINDOWS\system32\Drivers\RCFOX.sys [91136 2004-10-15] (SonicWALL, Inc.)
S3 rcvpn; C:\Windows\System32\DRIVERS\rcvpn.sys [23180 2003-08-20] (SonicWALL, Inc.)
S3 S3SavageNB; C:\Windows\System32\DRIVERS\s3gnbm.sys [166912 2004-08-03] (S3 Graphics, Inc.)
S3 swivsp; C:\Windows\System32\DRIVERS\swivspnt.sys [20352 2007-03-23] (Sierra Wireless Inc.)
S3 SWNC8U00; C:\Windows\System32\DRIVERS\SWNC8U00.sys [102144 2007-03-23] (Sierra Wireless Inc.)
S3 SWUMX00; C:\Windows\System32\DRIVERS\swumx00.sys [70656 2007-03-23] (Sierra Wireless Inc.)
S3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [248832 2006-08-07] (Marvell)
S4 Abiosdsk; No ImagePath
S4 Atdisk; No ImagePath
S1 Changer; No ImagePath
S1 lbrtfdc; No ImagePath
S1 mailKmd; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 Simbad; No ImagePath
S1 Wbutton; \SystemRoot\system32\drivers\Wbutton.sys [x]
S3 WDICA; No ImagePath

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-04-25 10:25 - 2013-04-25 10:25 - 00000000 ____D C:\FRST
2013-03-29 09:38 - 2013-04-15 05:52 - 00000004 ____A C:\Documents and Settings\Donnie\Application Data\skype.ini
2013-03-29 09:38 - 2013-03-29 09:38 - 00061312 ____A C:\Windows\System32\Drivers\e48c6df33eed4299.sys
2013-03-29 09:37 - 2013-03-29 09:37 - 00142336 ____A (TechDays Inc.) C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe

==================== One Month Modified Files and Folders ========

2013-04-25 10:25 - 2013-04-25 10:25 - 00000000 ____D C:\FRST
2013-04-25 04:16 - 2011-11-28 11:22 - 00000430 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{C4D5A3FC-B6FC-4B94-B53B-35B717517C29}.job
2013-04-25 04:16 - 2008-08-23 17:12 - 00000050 ____A C:\Windows\wiaservc.log
2013-04-25 04:16 - 2006-01-30 15:21 - 00032476 ____A C:\Windows\SchedLgU.Txt
2013-04-25 04:16 - 2006-01-30 15:21 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-04-25 04:16 - 2006-01-30 15:14 - 01705821 ____A C:\Windows\WindowsUpdate.log
2013-04-25 04:16 - 2006-01-30 15:10 - 00000216 ____A C:\Windows\wiadebug.log
2013-04-25 04:15 - 2008-05-31 16:49 - 00000430 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{3249C59C-3609-49AD-9D5C-528AAF764D3A}.job
2013-04-25 04:09 - 2008-04-30 10:52 - 00000000 ____D C:\panacea
2013-04-25 04:07 - 2006-01-30 15:07 - 00581894 ____A C:\Windows\System32\PerfStringBackup.INI
2013-04-25 04:06 - 2008-05-01 09:37 - 00000330 ___AH C:\Windows\Tasks\MP Scheduled Scan.job
2013-04-25 04:04 - 2010-02-07 11:52 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-04-25 04:03 - 2006-01-30 15:21 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-04-25 04:03 - 2006-01-30 15:21 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-04-25 04:03 - 2006-01-30 13:59 - 00001158 ____A C:\Windows\System32\wpa.dbl
2013-04-23 08:04 - 2011-12-16 05:12 - 00000178 __ASH C:\Documents and Settings\Donnie\ntuser.ini
2013-04-23 08:04 - 2011-12-16 05:12 - 00000062 __ASH C:\Documents and Settings\Donnie\Local Settings\desktop.ini
2013-04-15 05:52 - 2013-03-29 09:38 - 00000004 ____A C:\Documents and Settings\Donnie\Application Data\skype.ini
2013-04-15 05:50 - 2012-11-22 12:41 - 00000000 ___RD C:\Documents and Settings\Donnie\My Documents\Dropbox
2013-04-15 05:50 - 2012-11-22 12:39 - 00000000 ____D C:\Documents and Settings\Donnie\Application Data\Dropbox
2013-04-15 05:49 - 2010-02-07 11:52 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-04-02 11:46 - 2008-04-29 09:59 - 00000000 __SHD C:\Windows\CSC
2013-03-29 09:38 - 2013-03-29 09:38 - 00061312 ____A C:\Windows\System32\Drivers\e48c6df33eed4299.sys
2013-03-29 09:37 - 2013-03-29 09:37 - 00142336 ____A (TechDays Inc.) C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
2013-03-29 09:28 - 2012-02-20 06:50 - 00002473 ____A C:\Documents and Settings\Donnie\Desktop\Microsoft Office Excel 2007.lnk

==================== Known DLLs (ALL) =========================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2006-01-30 13:59] - [2007-06-13 06:23] - 1033216 ____A (Microsoft Corporation) 97bd6515465659ff8f3b7be375b2ea87

C:\Windows\System32\winlogon.exe
[2006-01-30 13:59] - [2004-08-04 08:00] - 0502272 ____A (Microsoft Corporation) 01c3346c241652f43aed8e2149881bfe

C:\Windows\System32\svchost.exe
[2006-01-30 13:59] - [2004-08-04 08:00] - 0014336 ____A (Microsoft Corporation) 8f078ae4ed187aaabc0a305146de6716

C:\Windows\System32\services.exe
[2006-01-30 13:59] - [2009-02-06 13:14] - 0110592 ____A (Microsoft Corporation) 37561f8d4160d62da86d24ae41fae8de

C:\Windows\System32\User32.dll
[2006-01-30 13:59] - [2007-03-08 11:36] - 0577536 ____A (Microsoft Corporation) b409909f6e2e8a7067076ed748abf1e7

C:\Windows\System32\userinit.exe
[2006-01-30 13:59] - [2004-08-04 08:00] - 0024576 ____A (Microsoft Corporation) 39b1ffb03c2296323832acbae50d2aff

C:\Windows\System32\Drivers\volsnap.sys
[2006-01-30 13:59] - [2004-08-04 08:00] - 0052352 ____A (Microsoft Corporation) ee4660083deba849ff6c485d944b379b


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-04-23 08:22 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1144

RP: -> 2013-04-15 03:46 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1143

RP: -> 2013-03-29 09:38 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1142

RP: -> 2013-03-26 06:57 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1141

RP: -> 2013-03-25 07:18 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1140

RP: -> 2013-03-19 12:45 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1139

RP: -> 2013-03-18 11:37 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1138

RP: -> 2013-03-15 10:23 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1137

RP: -> 2013-03-13 08:39 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1136

RP: -> 2013-03-10 11:13 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1135

RP: -> 2013-03-08 07:42 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1134

RP: -> 2013-03-06 10:07 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1133

RP: -> 2013-03-03 13:24 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1132

RP: -> 2013-02-27 06:27 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1131

RP: -> 2013-02-24 14:37 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1130

RP: -> 2013-02-23 08:45 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1129

RP: -> 2013-02-17 13:36 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1128

RP: -> 2013-02-13 11:48 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1127

RP: -> 2013-02-11 04:34 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1126

RP: -> 2013-02-07 12:25 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1125

RP: -> 2013-02-05 06:12 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1124

RP: -> 2013-01-30 07:27 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1123

RP: -> 2013-01-28 05:03 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1122

RP: -> 2013-01-23 14:57 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1121

RP: -> 2013-01-21 04:28 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1120

RP: -> 2013-01-18 06:01 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1119

RP: -> 2013-01-17 05:09 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1118

RP: -> 2013-01-15 10:10 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1117

RP: -> 2013-01-14 04:28 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1116

RP: -> 2013-01-10 10:53 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1115

RP: -> 2013-01-07 04:40 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1114

RP: -> 2013-01-03 05:16 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1113

RP: -> 2012-12-31 11:34 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1112

RP: -> 2012-12-28 06:19 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1111

RP: -> 2012-12-20 06:16 - 032768 _restore{2FE390B6-FB31-48E2-8D14-5A0FEEDEF327}\RP1110


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 2550.05 MB
Available physical RAM: 2280.11 MB
Total Pagefile: 2377.75 MB
Available Pagefile: 2315.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.54 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (System) (Fixed) (Total:74.53 GB) (Free:19.37 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (HITMANPRO) (Removable) (Total:1.96 GB) (Free:1.95 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 75 GB 32 KB
==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C System NTFS Partition 75 GB Healthy
=========================================================
============================== MBR & Partition Table ==================

====================================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: B3F42574)
Partition 1: (Active) - (Size=75 GB) - (Type=07) (NTFS)

====================================================================
Disk: 1 (Size: 2 GB) (Disk ID: 689C5F5D)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)

==================== End Of Log ============================
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

On another PC, open notepad and copy & paste the following:

HKLM\...\Run: [syshost32] C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe [149504 2013-03-29] ()
HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe, [x]
C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe
C:\WINDOWS\host32.exe
HKU\Donnie\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Donnie\Application Data\skype.dat [x]
C:\Documents and Settings\Donnie\Application Data\skype.dat
C:\Windows\System32\Drivers\e48c6df33eed4299.sys
C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
C:\Documents and Settings\Donnie\Application Data\skype.ini

Folder: C:\panacea

and save it as fixlist.txt onto your flash drive.

Then, boot in to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.

Attempt to boot normally by pulling the OTLPE disk and resetting BIOS to boot from Hard drive. If successful,

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Hi

Thanks, I did as instructed but the virus remains in place when I tried to boot normally after removing the CD.

The fixlog file is copied below

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-04-2013
Ran by SYSTEM at 2013-04-25 16:16:49 Run:2
Running from D:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\syshost32 value not found.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit value was restored successfully.
HKEY_USERS\ Donnie\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value not found.
2009-03-30 11:40 - 2009-03-30 11:40 - 0000246 ____A () C:\panacea\24d68501-fac4-4d0e-8a11-3c50505a0177.xml
2012-03-30 08:45 - 2013-03-18 11:44 - 0000000 ____A () C:\panacea\AVOnaccessscanning.txt
2012-03-30 08:45 - 2013-03-18 11:44 - 0000000 ____A () C:\panacea\AVProductname.txt
2012-03-30 08:45 - 2013-03-18 11:44 - 0000000 ____A () C:\panacea\AVProductstate.txt
2012-03-30 08:45 - 2013-03-18 11:44 - 0000861 ____A () C:\panacea\AVWinXPVista.vbs
2012-02-15 13:11 - 2012-02-15 13:11 - 0000039 ____A () C:\panacea\commandresults.txt
2010-02-20 09:10 - 2010-02-20 09:10 - 0355327 ____A () C:\panacea\counterList.xml
2008-07-28 15:31 - 2008-07-28 15:31 - 0331776 ____A (cURL, http://curl.haxx.se/) C:\panacea\curl-nossl.exe
2012-03-30 08:45 - 2013-03-18 11:44 - 0000011 ____A () C:\panacea\DefStatus.txt
2012-11-27 04:15 - 2013-04-25 04:04 - 0000132 ____A () C:\panacea\DirContents.xml
2009-11-02 15:46 - 2009-11-02 15:46 - 0000246 ____A () C:\panacea\e00b2634-bef9-4c32-b2bf-deaf7d7221e4.xml
2009-02-24 11:04 - 2009-02-24 11:05 - 9005936 ____A (Microsoft Corporation) C:\panacea\ie7-windowsxp-kb958215-x86-enu_b9b6797aaf36fe696fa64bb1225fddd0546d2034.exe
2010-02-20 09:12 - 2013-01-18 06:20 - 0055112 ____A () C:\panacea\kasetup.log
2009-03-30 11:45 - 2009-03-30 11:45 - 0086016 ____A (Kaseya) C:\panacea\KaXpUtil.exe
2008-04-30 10:52 - 2010-02-24 06:59 - 0018247 ____A () C:\panacea\KGetLcns.xml
2008-04-30 10:52 - 2012-11-05 17:43 - 0114688 ____A (Kaseya) C:\panacea\KLicense.exe
2013-01-18 06:22 - 2013-01-18 06:22 - 0626688 ____A (Kaseya International Limited) C:\panacea\KNat.exe
2008-05-18 16:20 - 2012-07-04 04:44 - 0290816 ____A (Kaseya) C:\panacea\kPtchMgt.dll
2008-05-29 10:26 - 2011-02-20 12:11 - 0196608 ____A (Kaseya) C:\panacea\kPtchMgt2.dll
2009-03-30 11:46 - 2009-03-30 11:46 - 0172032 ____A (Kaseya) C:\panacea\KRlyCCon.exe
2008-05-01 09:00 - 2011-12-16 04:35 - 0188416 ____A (Kaseya International Limited) C:\panacea\KRlyCLis.exe
2011-12-16 04:35 - 2012-03-20 05:06 - 0000988 ____A () C:\panacea\KRlyCLis.log
2010-02-20 09:10 - 2010-02-20 09:10 - 0061440 ____A (Kaseya) C:\panacea\KScanCnt.exe
2013-01-18 06:22 - 2013-01-18 06:22 - 1332232 ____A () C:\panacea\kvpn-1.0-install.exe
2012-03-30 08:45 - 2013-03-18 11:44 - 0000492 ____A () C:\panacea\McAfeeDateCheck.vbs
2008-05-18 16:20 - 2012-07-04 04:44 - 4907617 ____A () C:\panacea\mssecure.xml
2008-05-18 16:18 - 2009-07-15 07:08 - 2573062 ____A (Kaseya ) C:\panacea\odt.exe
2012-07-04 04:46 - 2012-07-04 04:46 - 0376493 ____A () C:\panacea\patchscn.xml
2012-03-30 08:45 - 2013-03-18 11:44 - 0000013 ____A () C:\panacea\patterndate.txt
2013-03-27 09:46 - 2013-04-25 04:09 - 0000655 ____A () C:\panacea\ptchscn2.xml
2011-08-18 08:58 - 2011-08-18 08:58 - 0000054 ____A () C:\panacea\restart.cmd
2013-03-27 09:46 - 2013-04-25 04:04 - 0000012 ____A () C:\panacea\results.muc
2008-12-03 07:18 - 2013-04-25 04:09 - 71202818 ____A () C:\panacea\wsusscn2.cab
2009-03-30 11:45 - 2009-03-30 11:45 - 0000211 ____A () C:\panacea\xpUser.xml
2009-07-06 11:35 - 2009-07-06 11:35 - 0233472 ____A (Microsoft Corporation) C:\panacea\odt\convert.exe
2009-07-06 11:35 - 2009-07-06 11:35 - 0106496 ____A (Microsoft Corporation) C:\panacea\odt\inventory.exe
2009-07-14 06:47 - 2009-07-14 06:47 - 2618794 ____A () C:\panacea\odt\kptchdat.xml
2009-07-06 11:35 - 2009-07-06 11:35 - 0247088 ____A (Microsoft Corporation) C:\panacea\odt\oudetect.dll
2009-07-09 13:30 - 2009-07-09 13:30 - 12603496 ____A () C:\panacea\odt\patchdata.xml
2012-07-04 04:43 - 2012-07-04 04:44 - 0043955 ____A () C:\panacea\odt\results\DDAVIDSONLT.log
2009-07-09 13:31 - 2009-07-09 13:31 - 0000075 ____A () C:\panacea\odt\cifs\puids.cif
2009-07-09 13:31 - 2009-07-09 13:31 - 9312256 ____A () C:\panacea\odt\cifs\puids.dat
2009-05-27 05:16 - 2009-05-27 05:16 - 0000024 ____A () C:\panacea\KMonitorSets\kms$2-1230-0.dat
2009-05-27 05:16 - 2009-05-27 05:16 - 0000024 ____A () C:\panacea\KMonitorSets\kms$2-1232-0.dat
2009-05-27 05:16 - 2009-05-27 05:16 - 0000024 ____A () C:\panacea\KMonitorSets\kms$2-1737-0.dat
2009-02-24 10:50 - 2010-02-20 09:12 - 0000149 ____A () C:\panacea\KMonitorSets\readme.txt
2009-02-24 10:50 - 2010-02-20 09:12 - 0000149 ____A () C:\panacea\KLogs\readme.txt
2008-05-29 10:53 - 2012-03-29 12:15 - 0002602 ____A () C:\panacea\kLogConfig\alertSet.xml
2012-03-30 02:50 - 2013-04-25 04:09 - 0000015 ____A () C:\panacea\kLogConfig\ap796450521.dat
2008-07-26 16:48 - 2013-04-25 04:09 - 0000015 ____A () C:\panacea\kLogConfig\ar796450521.dat

====== End of Folder: ======

==== End of Fixlog ====
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi debdon,

Unfortunately, you did not copy the entire fix.

Open notepad and copy & paste the following:


  • HKLM\...\Run: [syshost32] C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe [149504 2013-03-29] ()
    HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\host32.exe, [x]
    C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe
    C:\WINDOWS\host32.exe
    HKU\Donnie\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Donnie\Application Data\skype.dat [x]
    C:\Documents and Settings\Donnie\Application Data\skype.dat
    C:\Windows\System32\Drivers\e48c6df33eed4299.sys
    C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
    C:\Documents and Settings\Donnie\Application Data\skype.ini

and save it as fixlist.txt onto your flash drive.

Then, boot to OTLPE, plug in your flash drive, open FRST and click fix. Post the generated log.
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Hi Fiery

Sorry if I messed up. I copied and pasted the above and checked that was exactly what was in the fixlist.txt file

The fixlog.txt file is as follows;

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-04-2013
Ran by SYSTEM at 2013-04-25 17:50:17 Run:3
Running from D:\
Boot Mode: Recovery

==============================================

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\syshost32 value not found.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit value was restored successfully.
HKEY_USERS\ Donnie\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell value not found.

==== End of Fixlog ====
 

Fiery

Level 1
Jan 11, 2011
2,007
Hmm, it seems like the files are not being copied. Copy everything in the quote box below:

start
2013-03-29 09:38 - 2013-04-15 05:52 - 00000004 ____A C:\Documents and Settings\Donnie\Application Data\skype.ini
2013-03-29 09:38 - 2013-03-29 09:38 - 00061312 ____A C:\Windows\System32\Drivers\e48c6df33eed4299.sys
2013-03-29 09:37 - 2013-03-29 09:37 - 00142336 ____A (TechDays Inc.) C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
C:\Documents and Settings\Donnie\Application Data\skype.dat
C:\WINDOWS\Installer\{165BD854-2BF1-B6A8-2B1D-EE950AA8DFF3}\syshost.exe
C:\WINDOWS\host32.exe
end
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Looks to be even less succesful this time, fixlog.txt file copied below.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-04-2013
Ran by SYSTEM at 2013-04-25 18:16:26 Run:4
Running from D:\
Boot Mode: Recovery

==============================================


==== End of Fixlog ====
 

Fiery

Level 1
Jan 11, 2011
2,007
Strange.. ok, we will make use of another tool to remove the files. The bad files are identified, it's just a matter of removing them. Boot into OTLPE.

While in OTLPE, double click the OTLPE icon.
otlico.png

  • Select the Windows folder of the infected drive if it asks for a location.
  • When asked Do you wish to load the remote registry, select Yes.
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes.
  • Ensure the box Automatically Load All Remaining Users is checked and press OK.
  • OTL should now start
  • Check the boxes beside LOP Check and Purity Check
  • Press the Run Scan button
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to a USB drive if you do not have internet connection on the system.
  • Please attach the content of OTL.txt in your next reply.
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
OTL.text file copied below

OTL logfile created on: 4/25/2013 6:27:12 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 19.40 Gb Free Space | 26.03% Space Free | Partition Type: NTFS
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet003

========== Win32 Services (SafeList) ==========

SRV - [2012/06/07 07:15:28 | 000,847,872 | ---- | M] (Kaseya International Limited) [Auto] -- C:\Program Files\Kaseya\Agent\AgentMon.exe -- (KAPNC99987954614232346)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/30 06:39:03 | 000,438,272 | ---- | M] (RealVNC Ltd.) [Auto] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/03/13 14:08:58 | 000,024,576 | ---- | M] (Vodafone) [Auto] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2006/11/30 03:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2006/11/30 03:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2006/11/17 08:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2006/11/03 14:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/09/28 10:14:04 | 000,122,880 | ---- | M] (OptionNV) [Auto] -- C:\WINDOWS\system32\Gtdetectsc.exe -- (gtdetectsc)
SRV - [2004/10/15 05:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | System] -- -- (Wbutton)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (mailKmd)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2013/03/29 09:38:12 | 000,061,312 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\System32\Drivers\e48c6df33eed4299.sys -- (e48c6df33eed4299)
DRV - [2011/06/23 07:09:02 | 000,017,920 | ---- | M] (Kaseya) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\KaPFA.sys -- (KAPFA)
DRV - [2007/11/05 06:56:58 | 000,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/08/15 02:27:18 | 000,009,600 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2007/06/15 13:25:46 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2007/03/23 12:31:40 | 000,070,656 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\swumx00.sys -- (SWUMX00) Sierra Wireless USB MUX Driver (UMTS00)
DRV - [2007/03/23 12:31:30 | 000,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\swnc8u00.sys -- (SWNC8U00) Sierra Wireless MUX NDIS Driver (UMTS00)
DRV - [2007/03/23 12:31:20 | 000,020,352 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\swivspnt.sys -- (swivsp)
DRV - [2006/11/30 03:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2006/11/30 03:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2006/11/30 03:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2006/11/30 03:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2006/11/30 03:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2006/11/30 03:50:00 | 000,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2006/09/22 08:14:10 | 004,381,696 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/08/07 01:56:00 | 000,248,832 | ---- | M] (Marvell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/07/13 03:33:14 | 000,040,064 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ESD7SK.sys -- (ESDCR)
DRV - [2006/07/13 03:33:06 | 000,061,568 | ---- | M] (ENE Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\EMS7SK.sys -- (EMSCR)
DRV - [2006/01/20 05:44:42 | 000,862,340 | ---- | M] (Motorola Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2005/06/10 05:52:54 | 000,024,064 | ---- | M] (Option N.V.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\g3gruser.sys -- (G3GRUSER)
DRV - [2005/06/10 05:52:48 | 000,027,648 | ---- | M] (Option N.V.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\g3grumdm.sys -- (G3GRUMDM)
DRV - [2005/06/10 01:55:28 | 000,173,056 | ---- | M] (Funk Software, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\odysseyIM4.sys -- (odysseyIM4)
DRV - [2004/10/15 05:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/03 18:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2004/05/14 12:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/08/20 09:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rcvpn.sys -- (rcvpn)
DRV - [2003/04/28 06:27:06 | 000,009,867 | ---- | M] () [Kernel | System] -- C:\WINDOWS\System32\drivers\HOTKEY.sys -- (Hotkey)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Admin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\administrator.WATERMANASPEN_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
IE - HKU\administrator.WATERMANASPEN_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://downloads.yahoo.com/p/bt/ie/welcome
IE - HKU\administrator.WATERMANASPEN_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\administrator.WATERMANASPEN_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
IE - HKU\administrator.WATERMANASPEN_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\chamilton_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\chamilton_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\ddavidson_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\ddavidson_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\ddavidson_ON_C\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\ddavidson_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\ddavidson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\dmatheson_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
IE - HKU\dmatheson_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\dmatheson_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
IE - HKU\dmatheson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\dmatheson_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\Donnie_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
IE - HKU\Donnie_ON_C\Software\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\Donnie_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\Donnie_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\kefag_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watermanaspen.co.uk/
IE - HKU\kefag_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\sparelaptop_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.watermanaspen.co.uk/
IE - HKU\sparelaptop_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.0b2\extensions\\Components: C:\Program Files\Flock\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.0b2\extensions\\Plugins: C:\Program Files\Flock\plugins


O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (BT Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\ddavidson_ON_C\..\Toolbar\WebBrowser: (no name) - {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No CLSID value found.
O3 - HKU\dmatheson_ON_C\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\Donnie_ON_C\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [KASHPNC99987954614232346] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe (Kaseya International Limited)
O4 - HKLM..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe ()
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\Admin_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\administrator.WATERMANASPEN_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\chamilton_ON_C..\Run: [\\WARRINGTONPC.watermanaspen.co.uk\EPSON Stylus DX9400F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\chamilton_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\ddavidson_ON_C..\Run: [ISUSPM] C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\ddavidson_ON_C..\Run: [TuneUp MemOptimizer] File not found
O4 - HKU\dmatheson_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\Donnie_ON_C..\Run: [{2A2DB62D-8D02-BE06-7552-60540CE0DA6B}] C:\Documents and Settings\Donnie\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\debug.exe ()
O4 - HKU\Donnie_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\Donnie_ON_C..\Run: [Yahoo] C:\Documents and Settings\Donnie\Local Settings\Application Data\Yahoo\nlqvmaix.dll ()
O4 - HKU\kefag_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\sparelaptop_ON_C..\Run: [\\warringtonpc\EPSON Stylus DX9400F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICFE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\sparelaptop_ON_C..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\Administrator_ON_C..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe (Nero AG)
O4 - HKU\Donnie_ON_C..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10s_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\ddavidson\Start Menu\Programs\Startup\Connection to Waterman HQ.lnk = C:\Program Files\SonicWALL\SonicWALL Global VPN Client\SWGVpnClient.exe (SonicWALL, Inc.)
O4 - Startup: C:\Documents and Settings\Donnie\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Donnie\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Admin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\administrator.WATERMANASPEN_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\chamilton_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\ddavidson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\dmatheson_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Donnie_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kefag_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\sparelaptop_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\Donnie_ON_C Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\Donnie_ON_C Winlogon: Shell - (C:\Documents and Settings\Donnie\Application Data\skype.dat) - C:\Documents and Settings\Donnie\Application Data\skype.dat (TechDays Inc.)
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/30 15:16:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{73af4d38-22d7-11de-8e6a-001641fc9a93}\Shell - "" = AutoRun
O33 - MountPoints2\{73af4d38-22d7-11de-8e6a-001641fc9a93}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{73af4d38-22d7-11de-8e6a-001641fc9a93}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{e80c42fd-22ec-11de-8e6b-001641fc9a93}\Shell - "" = AutoRun
O33 - MountPoints2\{e80c42fd-22ec-11de-8e6b-001641fc9a93}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e80c42fd-22ec-11de-8e6b-001641fc9a93}\Shell\AutoRun\command - "" = E:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2013/04/25 10:25:36 | 000,000,000 | ---D | C] -- C:\FRST
[2013/03/29 09:37:27 | 000,142,336 | ---- | C] (TechDays Inc.) -- C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
[2013/03/20 05:12:22 | 000,170,778 | ---- | C] (Lurcom Ltd) -- C:\Documents and Settings\Donnie\7276495.exe
[2006/01/30 13:59:21 | 000,142,336 | ---- | C] (TechDays Inc.) -- C:\Documents and Settings\Donnie\Application Data\skype.dat
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/04/25 11:41:23 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Donnie\Application Data\skype.ini
[2013/04/25 11:41:00 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{C4D5A3FC-B6FC-4B94-B53B-35B717517C29}.job
[2013/04/25 11:40:14 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2013/04/25 11:40:00 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3249C59C-3609-49AD-9D5C-528AAF764D3A}.job
[2013/04/25 11:27:11 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\Donnie\Start Menu\Programs\Startup\Dropbox.lnk
[2013/04/25 11:26:42 | 000,001,021 | ---- | M] () -- C:\Documents and Settings\Donnie\Desktop\Dropbox.lnk
[2013/04/25 11:24:55 | 000,484,612 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/04/25 11:24:55 | 000,087,810 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/04/25 11:20:46 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/25 11:20:45 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/04/25 11:20:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/25 11:20:05 | 2673,987,584 | -HS- | M] () -- C:\hiberfil.sys
[2013/04/25 04:04:29 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/03/29 09:38:12 | 000,061,312 | ---- | M] () -- C:\WINDOWS\System32\drivers\e48c6df33eed4299.sys
[2013/03/29 09:37:29 | 000,142,336 | ---- | M] (TechDays Inc.) -- C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
[2013/03/29 09:28:51 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Donnie\Desktop\Microsoft Office Excel 2007.lnk
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/04/23 08:07:00 | 2673,987,584 | -HS- | C] () -- C:\hiberfil.sys
[2013/03/29 09:38:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Donnie\Application Data\skype.ini
[2013/03/29 09:38:12 | 000,061,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\e48c6df33eed4299.sys
[2012/08/09 03:12:31 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Donnie\Application Data\SharedSettings.ccs
[2012/04/27 07:54:27 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Donnie\default.pls
[2012/02/06 07:54:50 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Donnie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/24 08:01:38 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\dmatheson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/11 13:31:53 | 000,000,030 | ---- | C] () -- C:\WINDOWS\TEXTEASE.INI
[2010/09/11 13:07:47 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\dmatheson\Local Settings\Application Data\fusioncache.dat
[2010/08/06 12:39:17 | 000,010,593 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2010/03/14 14:40:00 | 000,000,182 | ---- | C] () -- C:\Documents and Settings\dmatheson\default.pls
[2010/03/14 14:33:13 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/09 08:29:52 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2009/10/09 08:28:29 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2009/10/09 08:25:34 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/05/27 05:39:48 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2008/08/23 17:26:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/07/27 17:22:11 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/07/27 17:22:11 | 000,022,328 | ---- | C] () -- C:\Documents and Settings\ddavidson\Application Data\PnkBstrK.sys
[2008/07/27 17:21:55 | 000,103,736 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrB.exe
[2008/07/27 17:21:53 | 000,066,872 | ---- | C] () -- C:\WINDOWS\System32\PnkBstrA.exe
[2008/07/27 17:21:48 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/06/30 16:44:38 | 000,001,144 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/06/14 19:02:33 | 000,028,083 | ---- | C] () -- C:\Documents and Settings\ddavidson\Application Data\Comma Separated Values (Windows).ADR
[2008/06/14 18:57:37 | 000,012,159 | ---- | C] () -- C:\Documents and Settings\ddavidson\Application Data\Comma Separated Values (Windows).EML
[2008/05/26 16:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 16:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/05/24 11:21:37 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/05/18 19:08:13 | 000,009,636 | ---- | C] () -- C:\Documents and Settings\ddavidson\Application Data\Comma Separated Values (Windows).TSK
[2008/05/06 17:20:29 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\ddavidson\Application Data\$_hpcst$.hpc
[2008/05/01 04:42:33 | 000,496,512 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2008/04/29 09:53:28 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/03/07 11:43:56 | 000,084,734 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2008/03/07 08:47:30 | 000,020,270 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceInstaller.xml
[2007/09/27 05:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 05:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 05:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/15 02:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2007/05/18 14:27:08 | 000,000,057 | ---- | C] () -- C:\WINDOWS\init.ini
[2007/05/18 14:27:00 | 000,065,973 | ---- | C] () -- C:\WINDOWS\sem_GCXXUninstall.exe
[2007/05/18 14:26:53 | 000,072,985 | ---- | C] () -- C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe
[2007/05/18 14:26:53 | 000,067,722 | ---- | C] () -- C:\WINDOWS\OptionHsdpaGTMax72ExpressInstallerUninstall.exe
[2007/05/18 14:26:52 | 000,091,520 | ---- | C] () -- C:\WINDOWS\OptionPCCardInstallerUninstall.exe
[2007/05/18 14:26:48 | 000,073,806 | ---- | C] () -- C:\WINDOWS\Novatel_700_800_PCCardInstallerUninstall.exe
[2007/05/18 14:23:11 | 000,063,090 | ---- | C] () -- C:\WINDOWS\SWMC87xxInstallerUninstall.exe
[2007/05/18 14:09:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/05/18 14:08:23 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2007/05/18 14:08:23 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2007/05/18 14:08:23 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2007/05/18 14:08:23 | 000,053,248 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2007/05/18 14:08:22 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2007/05/18 14:08:22 | 000,069,632 | ---- | C] () -- C:\WINDOWS\sm56brz.dll
[2007/05/18 14:08:22 | 000,061,440 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2007/05/18 14:08:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2007/05/18 14:08:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2007/05/18 14:08:03 | 000,009,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\HOTKEY.sys
[2006/05/02 18:38:24 | 000,072,444 | ---- | C] () -- C:\WINDOWS\SetBrowser.exe
[2006/05/02 18:38:24 | 000,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006/01/30 15:38:38 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/01/30 15:20:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/01/30 15:13:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/01/30 15:07:55 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/30 15:06:54 | 000,304,416 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/01/30 14:00:03 | 000,000,976 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/01/30 13:59:28 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/01/30 13:59:25 | 000,484,612 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/01/30 13:59:25 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/01/30 13:59:25 | 000,087,810 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/01/30 13:59:25 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/01/30 13:59:24 | 000,004,711 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/01/30 13:59:22 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/01/30 13:59:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/01/30 13:59:13 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/01/30 13:59:12 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/01/30 13:59:04 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/01/30 13:58:53 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

========== LOP Check ==========

[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Alice Systems
[2008/04/29 10:09:44 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Bytemobile
[2011/09/13 07:49:00 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Softland
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Alice Systems
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.WATERMANASPEN\Application Data\Alice Systems
[2011/12/16 04:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.WATERMANASPEN\Application Data\Vodafone
[2011/12/16 04:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator.WATERMANASPEN\Application Data\Windows Desktop Search
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Alice Systems
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chamilton\Application Data\Alice Systems
[2008/08/19 16:03:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Delicious IE Extension
[2008/05/06 19:21:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Flock
[2008/07/02 17:59:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Isotope 244
[2008/08/10 18:20:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Millennia
[2008/05/20 16:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\NetCentrics
[2008/05/06 15:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Sierra Wireless
[2008/05/06 17:46:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Sprite PC Agent
[2008/05/06 17:46:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Sprite Setup Wizard
[2008/05/06 17:46:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Sprite Software
[2008/06/20 16:08:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\TuneUp Software
[2008/05/27 06:55:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ddavidson\Application Data\Vodafone
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Alice Systems
[2011/11/14 05:27:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Canon
[2011/11/07 17:33:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Canon Easy-WebPrint EX
[2009/09/15 12:07:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\KeySafe
[2011/08/01 04:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\NewSoft
[2009/10/09 08:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\ScanSoft
[2010/07/31 09:57:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\SMART Technologies Inc
[2010/11/17 14:38:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\SmartDraw
[2011/09/12 12:38:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Softland
[2009/04/06 14:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Vodafone
[2011/11/18 08:46:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\webex
[2009/04/20 13:21:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Windows Desktop Search
[2009/07/03 11:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\dmatheson\Application Data\Windows Search
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Alice Systems
[2012/02/06 06:14:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Canon
[2011/12/16 05:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Canon Easy-WebPrint EX
[2013/04/25 11:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Dropbox
[2012/02/01 11:31:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Softland
[2011/12/16 05:13:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Vodafone
[2011/12/16 05:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Windows Desktop Search
[2011/12/20 04:42:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Donnie\Application Data\Windows Search
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kefag\Application Data\Alice Systems
[2011/09/12 12:38:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2012/02/24 08:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2009/04/06 14:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Vodafone
[2007/05/18 14:26:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2007/05/18 14:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sparelaptop\Application Data\Alice Systems
[2011/09/12 12:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Calico Pie
[2011/11/07 17:37:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Canon IJ Network Tool
[2009/05/27 05:39:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/11/07 17:39:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonEPP
[2011/11/14 05:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJ
[2012/02/01 11:33:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEGV
[2011/11/07 17:39:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJEPPEX2
[2011/11/07 17:34:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMSetup
[2011/11/07 17:39:41 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJMyPrinter
[2011/11/14 05:27:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJScan
[2011/11/07 17:39:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJSolutionMenuEX
[2011/11/07 16:54:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
[2008/11/03 11:18:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/05/14 15:00:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\mobiano
[2011/10/02 10:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research Machines
[2009/10/09 08:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2008/08/20 15:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2008/08/28 09:07:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/06 14:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2011/11/27 14:12:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2012/11/30 13:15:00 | 000,000,398 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2013/04/25 11:40:14 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2013/04/25 11:40:00 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3249C59C-3609-49AD-9D5C-528AAF764D3A}.job
[2013/04/25 11:41:00 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{C4D5A3FC-B6FC-4B94-B53B-35B717517C29}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844
< End of report >
 

Fiery

Level 1
Jan 11, 2011
2,007
Double click the OTLPE icon.
otlico.png
. Under custom scan/fixes, copy and paste the following:

:OTL
DRV - [2013/03/29 09:38:12 | 000,061,312 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\System32\Drivers\e48c6df33eed4299.sys -- (e48c6df33eed4299)
O4 - HKU\Donnie_ON_C..\Run: [Yahoo] C:\Documents and Settings\Donnie\Local Settings\Application Data\Yahoo\nlqvmaix.dll ()
O20 - HKU\Donnie_ON_C Winlogon: Shell - (C:\Documents and Settings\Donnie\Application Data\skype.dat) - C:\Documents and Settings\Donnie\Application Data\skype.dat (TechDays Inc.)
[2013/03/29 09:37:27 | 000,142,336 | ---- | C] (TechDays Inc.) -- C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe
[2013/03/20 05:12:22 | 000,170,778 | ---- | C] (Lurcom Ltd) -- C:\Documents and Settings\Donnie\7276495.exe
[2006/01/30 13:59:21 | 000,142,336 | ---- | C] (TechDays Inc.) -- C:\Documents and Settings\Donnie\Application Data\skype.dat
[2013/04/25 11:41:23 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Donnie\Application Data\skype.ini
[2013/03/29 09:38:12 | 000,061,312 | ---- | M] () -- C:\WINDOWS\System32\drivers\e48c6df33eed4299.sys
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Good Morning

On completion of the run fix process a 04262013_105954.txt file was created and I just copied this to my flash drive. I have not yet attempted to reboot the infected computer again. Output file as follows, looks promising;

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\e48c6df33eed4299 deleted successfully.
C:\WINDOWS\system32\drivers\e48c6df33eed4299.sys moved successfully.
Registry value HKEY_USERS\Donnie_ON_C\Software\Microsoft\Windows\CurrentVersion\Run\\Yahoo deleted successfully.
C:\Documents and Settings\Donnie\Local Settings\Application Data\Yahoo\nlqvmaix.dll moved successfully.
Registry value HKEY_USERS\Donnie_ON_C\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\Donnie\Application Data\skype.dat deleted successfully.
C:\Documents and Settings\Donnie\Application Data\skype.dat moved successfully.
C:\Documents and Settings\Donnie\vhjaopmspkeasxcxioaj.exe moved successfully.
C:\Documents and Settings\Donnie\7276495.exe moved successfully.
File C:\Documents and Settings\Donnie\Application Data\skype.dat not found.
C:\Documents and Settings\Donnie\Application Data\skype.ini moved successfully.
File C:\WINDOWS\System32\drivers\e48c6df33eed4299.sys not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 709851744 bytes
->Temporary Internet Files folder emptied: 1516835 bytes
->Flash cache emptied: 300 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 300 bytes

User: administrator.WATERMANASPEN
->Temp folder emptied: 5144712 bytes
->Temporary Internet Files folder emptied: 39567 bytes
->Java cache emptied: 418 bytes
->Flash cache emptied: 300 bytes

User: ADMINI~1~WAT

User: All Users

User: chamilton
->Temp folder emptied: 633643 bytes
->Temporary Internet Files folder emptied: 94460755 bytes
->Java cache emptied: 145968 bytes
->Flash cache emptied: 1493 bytes

User: ddavidson
->Temp folder emptied: 4759316 bytes
->Temporary Internet Files folder emptied: 9803195 bytes
->Java cache emptied: 1752439 bytes
->Flash cache emptied: 1698878 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 300 bytes

User: dmatheson
->Temp folder emptied: 208690907 bytes
->Temporary Internet Files folder emptied: 307588208 bytes
->Java cache emptied: 91451624 bytes
->Flash cache emptied: 112911 bytes

User: Donnie
->Temp folder emptied: 102894755 bytes
->Temporary Internet Files folder emptied: 468775668 bytes
->Java cache emptied: 2262979 bytes
->Flash cache emptied: 30591 bytes

User: kefag
->Temp folder emptied: 7447 bytes
->Temporary Internet Files folder emptied: 39751150 bytes
->Flash cache emptied: 405 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 49554 bytes

User: NetworkService
->Temp folder emptied: 2305866 bytes
->Temporary Internet Files folder emptied: 1590817 bytes

User: sparelaptop
->Temp folder emptied: 2067932 bytes
->Temporary Internet Files folder emptied: 831080 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 92223440 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 9736356 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

Total Files Cleaned = 2,060.00 mb


OTLPE by OldTimer - Version 3.1.48.0 log created on 04262013_105954
 

Fiery

Level 1
Jan 11, 2011
2,007
Attempt to reboot normally. If successful, follow the instructions on Post 4 to run TDSSKiller and Malwarebytes

http://malwaretips.com/Thread-Europol-virus-Hitman-Pro-kickstart?pid=117993#pid117993
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Hi Fiery

I was able to reboot normally, thanks.

I've attached both TDSKiller log.txt files that were created.

Unfortunately I couldn't run the mbar.exe file, screenshot of message as attached. I have an older version of Malawarebytes on my laptop, installed in 2008, which I can run but I assume that wouldnow require updating anyway.
 

Attachments

  • mbar exe message.docx
    141.2 KB · Views: 114

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
It look like the TDSKiller log files did not attach so I've tried again
 

Attachments

  • TDSSKiller.2.8.16.0_30.04.2013_11.12.44_log.txt
    292.7 KB · Views: 85
  • TDSSKiller.2.8.16.0_30.04.2013_11.10.01_log.txt
    4 KB · Views: 95

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

You have to delete a rootkit with TDSSKiller. Rerun TDSSkiller but this time, for:

\Device\Harddisk1\DR2 ( TDSS File System ) - skipped by user
\Device\Harddisk1\DR2 ( TDSS File System ) - User select action: Skip

Select Quarantine/delete.

Then try running mbar.exe
 

debdon

New Member
Thread author
Verified
Apr 23, 2013
16
Hi

I deleted the file but got the same message when I tried to run mbar.exe

New TDSS log attached
 

Attachments

  • TDSSKiller.2.8.16.0_01.05.2013_09.51.52_log.txt
    246.2 KB · Views: 131

Fiery

Level 1
Jan 11, 2011
2,007
Ok.

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top