Virus/Malware on USB

Potential-Monke · 12-10-2012 9:21pm #1

Mate of mine at work recently picked up some sort of virus/malware, and he has alot of pretty important documents on it. It basically turned every folder in it to a shortcut. I googled it and it seemed fairly common, and recommended i download and install AutoRunExterminator, which i did, and ran it on the USB drive. But, after an hour, it kept finding the same autorun.inf file and never got round to actually deleting it.

I scanned it with my anitvirus, Eset Smart Security Business Edition, and it found a number of Win32/Dorkbot.D worms, one for each of the folders (5) and the autorun file, all with the extension ".lnk", and quarantined each one.

So i then ran an up-to-date Malwarebytes scan on it, which found 2 infected files and removed both also.

However, the folders are still missing but are there when i do another scan with Eset (it shows that it is scanning each folder and it's contained documents). I have it set to show hidden files, but only a shaded "~WRL2386.tmp", "AUTORUN" and a CCTV TDP file (?) which he has told me was the name of the original TDP file.

Also it has a BOOTEX wordpad document, which neither of us know if it was there beforehand, and a few other word documents which were not in folders and apparently were not effected.

Further Malwarebytes scans throw up no malicious files detected, and further Eset scans give "E:\AUTORUN.INF - error opening" but no threats, and shows that there are 1918 files on the drive (again, only 9 showing, including the ones i mentioned above).

I've attached the dds and attach files as requested, along with the latest Malwarebytes logs for first and second scan.

I'm far from a guru on these matters, so anyone who can help me would get some serious internet thumbs up!

ASJ112 · 13-10-2012 11:52am

no need to attach these logs, you can just post them here

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Quick Scan button. Do not change any settings. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files here

Potential-Monke · 13-10-2012 6:29pm

I'll do that now, but i just checked there again and the folders are showing now but only as hidden and i can't unhide them...

ASJ112 · 13-10-2012 6:39pm

Don't worry about that for the moment, we will fix it after we remove the malware

Potential-Monke · 13-10-2012 6:56pm

OTL logfile created on: 13/10/2012 18:30:14 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\admin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1015.48 Mb Total Physical Memory | 639.55 Mb Available Physical Memory | 62.98% Memory free
1.64 Gb Paging File | 1.36 Gb Available in Paging File | 83.07% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.42 Gb Free Space | 57.48% Space Free | Partition Type: NTFS
Drive E: | 959.97 Mb Total Space | 492.42 Mb Free Space | 51.30% Space Free | Partition Type: FAT

Computer Name: ADMIN-E0AEA4CA9 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/13 18:19:31 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin\My Documents\Downloads\OTL.exe
PRC - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011/10/24 09:40:04 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2008/04/14 00:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

========== Services (SafeList) ==========

SRV - [2011/10/24 09:40:44 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- -- (cerc6)
DRV - [2011/10/24 09:40:18 | 000,134,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2011/10/24 09:40:18 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2011/10/24 09:40:18 | 000,033,120 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2011/10/24 09:40:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2011/10/24 09:39:24 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2011/03/14 15:53:41 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/05/27 22:52:12 | 000,829,792 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2007/06/27 22:42:00 | 000,207,488 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2012/08/30 16:32:50 | 000,000,000 | ---D | M]

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U33 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.330.3 (Enabled) = C:\WINDOWS\system32\npdeployJava1.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - Extension: Angry Birds = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\
CHR - Extension: Beatlab = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\alnfdikmbdfgkcbdodjcbmedanjinmkk\1.0.1_0\
CHR - Extension: Bounceball = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bnonnffemhpfblohaicmfmofbfaaoobf\1.1_0\
CHR - Extension: New York theme = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dcnjoilngpclpbpopnnfbjelpbpamign\1.2_0\
CHR - Extension: AdBlock = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.45_0\
CHR - Extension: Cargo Bridge = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\keembkgclppcbilkekfgpobhldjjhpmn\1.5.7_0\
CHR - Extension: ScrewAds - Block, Skip, Remove YouTube Ads = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmbnjoljpgkhiaicaejkdcjbfjknipnc\2.1.5_0\

O1 HOSTS File: ([2008/04/14 00:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutorun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346341283000 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{90F75716-4B1A-4790-B618-5936BC872783}: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B8564D38-003D-472A-8A81-207C111C2A29}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/10/18 01:29:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/10/12 08:04:20 | 000,000,016 | -H-- | M] () - E:\AUTORUN.INF -- [ FAT ]
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/12 21:03:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin\Start Menu\Programs\Administrative Tools
[2012/09/25 22:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\DAEMON Tools Lite
[2012/09/25 22:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/09/16 16:58:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
[2012/09/16 16:58:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2012/09/16 16:58:36 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2012/09/16 16:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/13 18:05:04 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/13 18:04:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/10 00:35:41 | 000,062,464 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/25 22:39:52 | 000,462,942 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/25 22:39:52 | 000,078,570 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/16 16:59:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/14 15:32:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/01 22:13:02 | 000,000,436 | RHS- | C] () -- C:\Documents and Settings\admin\ntuser.pol
[2012/08/30 20:28:11 | 000,062,464 | ---- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/08 18:53:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/06/25 17:24:01 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/18 20:57:05 | 000,014,051 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/10/18 01:32:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/18 01:25:44 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/17 18:15:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/17 18:09:41 | 000,141,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2012/09/12 00:23:24 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 14:56:22 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 00:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/09/25 22:39:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\DAEMON Tools Lite
[2012/08/30 16:34:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\ESET
[2012/08/30 15:04:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\MSNInstaller
[2012/07/08 18:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\OpenOffice.org
[2012/10/03 11:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\uTorrent
[2012/09/12 00:25:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Windows Desktop Search
[2012/09/12 03:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Windows Search
[2012/06/22 17:34:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/09/25 22:37:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/08/30 16:32:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2012/08/30 16:27:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/10/18 20:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ralink Driver

========== Purity Check ==========

< End of report >

Potential-Monke · 13-10-2012 6:57pm

OTL Extras logfile created on: 13/10/2012 18:30:14 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\admin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1015.48 Mb Total Physical Memory | 639.55 Mb Available Physical Memory | 62.98% Memory free
1.64 Gb Paging File | 1.36 Gb Available in Paging File | 83.07% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.42 Gb Free Space | 57.48% Space Free | Partition Type: NTFS
Drive E: | 959.97 Mb Total Space | 492.42 Mb Free Space | 51.30% Space Free | Partition Type: FAT

Computer Name: ADMIN-E0AEA4CA9 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML.B6GGQVTVFZID7QDZXXT2VHNDSU] -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83216033FF}" = Java(TM) 6 Update 35
"{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}" = Ralink RT2870 Wireless LAN Card
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{90120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{ACEB2BAF-96DF-48FD-ADD5-43842D4C443D}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E0989843-8C18-4857-9785-4DA0BF54325F}" = ESET Smart Security
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2011-11-11
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Speccy" = Speccy
"uTorrent" = µTorrent
"VLC media player" = VLC media player 2.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR 4.20 (32-bit)
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 18/10/2011 09:47:59 | Computer Name = ADMIN-E0AEA4CA9 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 18/10/2011 20:19:54 | Computer Name = ADMIN-E0AEA4CA9 | Source = Windows Product Activation | ID = 1012
Description = Due to hardware changes on this computer, you will need to reactivate
your Windows product.

Error - 22/06/2012 06:40:31 | Computer Name = ADMIN-E0AEA4CA9 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 22/06/2012 06:40:32 | Computer Name = ADMIN-E0AEA4CA9 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 22/06/2012 06:40:32 | Computer Name = ADMIN-E0AEA4CA9 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 22/06/2012 06:40:32 | Computer Name = ADMIN-E0AEA4CA9 | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 30/08/2012 10:25:47 | Computer Name = ADMIN-E0AEA4CA9 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 30/08/2012 10:25:49 | Computer Name = ADMIN-E0AEA4CA9 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 30/08/2012 18:10:36 | Computer Name = ADMIN-E0AEA4CA9 | Source = Application Hang | ID = 1002
Description = Hanging application vlc.exe, version 2.0.3.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/09/2012 09:47:55 | Computer Name = ADMIN-E0AEA4CA9 | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

[ System Events ]
Error - 22/09/2012 02:45:33 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 22/09/2012 18:46:51 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 23/09/2012 06:30:15 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 24/09/2012 11:05:54 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 24/09/2012 23:32:13 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 25/09/2012 13:00:41 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 26/09/2012 08:46:27 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 27/09/2012 14:48:27 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 30/09/2012 12:32:41 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 30/09/2012 17:04:25 | Computer Name = ADMIN-E0AEA4CA9 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

< End of report >

ASJ112 · 13-10-2012 7:15pm

open OTL copy and paste this in the custom scan/fixes box

:OTL
O32 - AutoRun File - [2012/10/12 08:04:20 | 000,000,016 | -H-- | M] () - E:\AUTORUN.INF -- [ FAT ]
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell - "" = AutoRun
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\Shell\AutoRun\command - "" = E:\AutoRun.exe

:Commands
[PURITY]
[EMPTYTEMP]
[EMPTYFLASH]
[RESETHOSTS]
[EMPTYJAVA]
[CREATERESTOREPOINT]
[Reboot]
:Files
ipconfig /flushdns /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP"=-
"80:TCP"=-

click run fix post the log from it.

then re-open OTL click the None button at the top, copy and paste this in the custom scan/fixes box

C:\WINDOWS\System32\WindowsPowerShell\*.*
C:\WINDOWS\System32\winrm\*.*
C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory\*.*
C:\WINDOWS\$968930Uinstall_KB968930$\*.*
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
SaveMBR:0
clearallrestorepoints
%systemroot%\*. /mp /s
C:\*.*

click run scan, post the log it gives you.

13-10-2012 7:18pm

Did you also disable the option to "Hide protected operating system files" - enabling hidden files alone isn't enough.

Potential-Monke · 13-10-2012 7:29pm

All processes killed
========== OTL ==========
File E:\AUTORUN.INF not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11d99cfe-bee1-11e1-a4f4-001279a2fed8}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a4f5ebd-d293-11e1-a4f9-001279a2fed8}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7a1d49ee-d806-11e1-a4fc-001279a2fed8}\ not found.
File E:\AutoRun.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 216073005 bytes
->Temporary Internet Files folder emptied: 5005066 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 300210732 bytes
->Flash cache emptied: 421 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 11926 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 102417 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3098349 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 35065345 bytes

Total Files Cleaned = 536.00 mb

[EMPTYFLASH]

User: admin
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: admin
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\admin\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\admin\My Documents\Downloads\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\5985:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\80:TCP deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 10132012_191718

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Potential-Monke · 13-10-2012 7:30pm

OTL logfile created on: 13/10/2012 19:21:59 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\admin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1015.48 Mb Total Physical Memory | 524.10 Mb Available Physical Memory | 51.61% Memory free
1.64 Gb Paging File | 1.24 Gb Available in Paging File | 75.70% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 21.98 Gb Free Space | 58.97% Space Free | Partition Type: NTFS
Drive E: | 959.97 Mb Total Space | 492.42 Mb Free Space | 51.30% Space Free | Partition Type: FAT
Drive F: | 849.72 Gb Total Space | 464.08 Gb Free Space | 54.61% Space Free | Partition Type: FAT32
Drive G: | 81.66 Gb Total Space | 81.66 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: ADMIN-E0AEA4CA9 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/13 18:19:31 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin\My Documents\Downloads\OTL.exe
PRC - [2012/08/30 03:58:46 | 001,229,848 | ---- | M] (Google Inc.) -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2011/10/24 09:40:04 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2008/04/14 00:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2012/08/30 03:58:45 | 000,442,392 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\ppgooglenaclpluginchrome.dll
MOD - [2012/08/30 03:58:42 | 003,997,720 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\pdf.dll
MOD - [2012/08/30 03:57:15 | 000,144,424 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\avutil-51.dll
MOD - [2012/08/30 03:57:13 | 000,266,792 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\avformat-54.dll
MOD - [2012/08/30 03:57:12 | 002,480,680 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\avcodec-54.dll

========== Services (SafeList) ==========

SRV - [2011/10/24 09:40:44 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011/10/24 09:40:10 | 000,814,264 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ewusbmdm.sys -- (hwdatacard)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- -- (cerc6)
DRV - [2011/10/24 09:40:18 | 000,134,000 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)
DRV - [2011/10/24 09:40:18 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)
DRV - [2011/10/24 09:40:18 | 000,033,120 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2011/10/24 09:40:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2011/10/24 09:39:24 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2011/03/14 15:53:41 | 000,229,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2010/05/27 22:52:12 | 000,829,792 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2870.sys -- (rt2870)
DRV - [2007/06/27 22:42:00 | 000,207,488 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_35: C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2012/08/30 16:32:50 | 000,000,000 | ---D | M]

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms},
CHR - homepage: http://www.google.com
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U33 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.330.3 (Enabled) = C:\WINDOWS\system32\npdeployJava1.dll
CHR - plugin: VLC Multimedia Plug-in (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - Extension: Angry Birds = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\
CHR - Extension: Beatlab = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\alnfdikmbdfgkcbdodjcbmedanjinmkk\1.0.1_0\
CHR - Extension: Bounceball = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bnonnffemhpfblohaicmfmofbfaaoobf\1.1_0\
CHR - Extension: New York theme = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dcnjoilngpclpbpopnnfbjelpbpamign\1.2_0\
CHR - Extension: AdBlock = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.45_0\
CHR - Extension: Cargo Bridge = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\keembkgclppcbilkekfgpobhldjjhpmn\1.5.7_0\
CHR - Extension: ScrewAds - Block, Skip, Remove YouTube Ads = C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mmbnjoljpgkhiaicaejkdcjbfjknipnc\2.1.5_0\

O1 HOSTS File: ([2012/10/13 19:17:44 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutorun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutorunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346341283000 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab (Java Plug-in 1.6.0_35)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{90F75716-4B1A-4790-B618-5936BC872783}: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B8564D38-003D-472A-8A81-207C111C2A29}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/10/18 01:29:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/10/12 08:04:20 | 000,000,016 | -H-- | M] () - E:\AUTORUN.INF -- [ FAT ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe ARM - hkey= - key= - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AudioDeck - hkey= - key= - C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe (VIA Technologies, Inc.)
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A38B334A-A0A2-436D-BAA0-34FE5E517E44} - Microsoft .NET Framework 1.1 Security Update (KB2656370)
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Program Files\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
PhysicalDisk0 MBR saved to C:\PhysicalMBR.bin

CLEARALLRESTOREPOINTS
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/10/13 19:17:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/10/12 21:03:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin\Start Menu\Programs\Administrative Tools
[2012/09/25 22:37:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Application Data\DAEMON Tools Lite
[2012/09/25 22:36:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/09/17 01:42:01 | 000,135,168 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2012/09/16 16:58:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WindowsPowerShell
[2012/09/16 16:58:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2012/09/16 16:58:36 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2012/09/16 16:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory

========== Files - Modified Within 30 Days ==========

[2012/10/13 19:25:37 | 000,000,512 | ---- | M] () -- C:\PhysicalMBR.bin
[2012/10/13 19:19:17 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/13 19:18:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/13 19:17:44 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/10/13 18:58:35 | 000,062,976 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/09/25 22:39:52 | 000,462,942 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/25 22:39:52 | 000,078,570 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/16 16:59:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/09/14 15:32:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini

========== Files Created - No Company Name ==========

[2012/10/13 19:25:37 | 000,000,512 | ---- | C] () -- C:\PhysicalMBR.bin
[2012/09/01 22:13:02 | 000,000,436 | RHS- | C] () -- C:\Documents and Settings\admin\ntuser.pol
[2012/08/30 20:28:11 | 000,062,976 | ---- | C] () -- C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/08 18:53:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/06/25 17:24:01 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/18 20:57:05 | 000,014,051 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2011/10/18 01:32:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/10/18 01:25:44 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/10/17 18:15:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/10/17 18:09:41 | 000,141,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2012/09/12 00:23:24 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/09/05 14:56:22 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 00:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< C:\WINDOWS\System32\WindowsPowerShell\*.* >

< C:\WINDOWS\System32\winrm\*.* >

< C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory\*.* >
[2012/09/19 15:06:48 | 000,002,872 | ---- | M] () -- C:\Documents and Settings\admin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

< C:\WINDOWS\$968930Uinstall_KB968930$\*.* >
[2009/10/09 14:57:44 | 000,020,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
[2009/10/09 14:56:30 | 000,009,216 | ---- | M] () -- C:\WINDOWS\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe

< %systemroot%\*. /mp /s >

< C:\*.* >
[2011/10/18 22:19:14 | 000,001,596 | ---- | M] () -- C:\aclient.cfg
[2011/10/18 01:29:22 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/09/14 15:32:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/10/18 01:29:22 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/10/18 01:29:22 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/10/18 01:29:22 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 00:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 00:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/10/13 19:18:44 | 792,723,456 | -HS- | M] () -- C:\pagefile.sys
[2012/10/13 19:25:37 | 000,000,512 | ---- | M] () -- C:\PhysicalMBR.bin

< End of report >

ASJ112 · 13-10-2012 7:56pm

hows it running now ?

Potential-Monke · 13-10-2012 8:04pm

The PC itself has always been fine, it's the USB that's still not good, and now the folders have disappeared again...

Edit: And by checking to make sure i have hidden folders displayed, they suddenly have shown up again (i didn't change anything).

@Karsini: That option is unticked also.

ASJ112 · 13-10-2012 8:39pm

can you post any of the logs from Eset. Usually USB infections will show up in other areas of your PC but they don't seem to be from your logs.

Potential-Monke · 13-10-2012 8:48pm

I can see the detected threats with the names of the folders in the log files, but how do i open/copy them to show you? When i click on them nothing happens. Here's a screenshot. There is an option to copy, but nothing happens when i click it.

I've also included a screenshot of what the usb drive shows (with some names removed by me).

Potential-Monke · 13-10-2012 8:57pm

Just found out how, but i don't know if it's exactly what you're looking for. This is the result of the On Demand Scan on the E drive when exported to a .txt:

12/10/2012 21:18:20 E:\ 1918 0 0 Completed
12/10/2012 21:17:18 E:\ 1918 0 0 Completed
12/10/2012 21:00:02 E:\ 1918 0 0 Completed
12/10/2012 20:51:33 E:\ 1925 5 0 Completed
12/10/2012 18:02:53 C:\Documents and Settings\admin\My Documents\Downloads\AutoRunExterminator.exe 1 0 0 Completed

This is what i got when i exported one of the detected threats:

12/10/2012 20:53:51 Real-time file system protection file E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe Win32/AutoRun.KS worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
12/10/2012 20:53:51 Real-time file system protection file E:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe Win32/AutoRun.KS worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
12/10/2012 20:53:51 Real-time file system protection file E:\RECYCLER\Lcass.exe Win32/VB.NLI worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
12/10/2012 20:52:45 Real-time file system protection file E:\.vbs VBS/AutoRun.G worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\Work Stuff.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\XXXXX.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\FOUND.000.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\Clip.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\XXX.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
12/10/2012 20:50:43 Real-time file system protection file E:\AUTORUN.INF.lnk Win32/Dorkbot.D worm cleaned by deleting - quarantined ADMIN-E0AEA4CA9\admin Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe.
09/09/2012 20:29:48 Real-time file system protection file C:\Documents and Settings\admin\My Documents\Downloads\2BB.tmp Win32/Toolbar.SearchSuite potentially unwanted application deleted - quarantined ADMIN-E0AEA4CA9\admin Event occurred on a file modified by the application: C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe.

I used XXX & XXXXX to replace the actual filenames

ASJ112 · 13-10-2012 9:00pm

plug in the USB key, open OTL, click the None button at the top then copy and paste this in the custom scan/fixes box. You may want to edit the OTL log as it will list everything on your usb key. Copy this in

E:\*.*
E:\*.

click run scan post the log

Potential-Monke · 13-10-2012 9:10pm

OTL logfile created on: 13/10/2012 21:08:14 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\admin\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1015.48 Mb Total Physical Memory | 461.57 Mb Available Physical Memory | 45.45% Memory free
1.64 Gb Paging File | 1.12 Gb Available in Paging File | 68.31% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 23.99 Gb Free Space | 64.38% Space Free | Partition Type: NTFS
Drive E: | 959.97 Mb Total Space | 492.42 Mb Free Space | 51.30% Space Free | Partition Type: FAT
Drive F: | 849.72 Gb Total Space | 464.08 Gb Free Space | 54.62% Space Free | Partition Type: FAT32
Drive G: | 81.66 Gb Total Space | 81.66 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: ADMIN-E0AEA4CA9 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< E:\*.* >
[2012/10/12 08:14:04 | 000,002,812 | ---- | M] () -- E:\BOOTEX.LOG
[2012/10/12 08:04:20 | 000,000,016 | -H-- | M] () -- E:\AUTORUN.INF
[2012/04/18 21:19:14 | 000,079,872 | ---- | M] () -- E:\File Register.xls
[2012/05/14 19:38:18 | 000,030,208 | ---- | M] () -- E:\X.doc
[2012/10/06 00:27:00 | 000,118,272 | ---- | M] () -- E:\XX.doc
[2012/03/16 15:22:38 | 000,022,016 | ---- | M] () -- E:\Kellogg.doc
[2012/10/11 14:56:20 | 372,922,677 | ---- | M] () -- E:\BACKUP_20121011155442-000.tdb
[2008/08/23 13:16:12 | 000,000,702 | -HS- | M] () -- E:\desktop.ini
[2012/02/19 13:18:04 | 000,092,160 | ---- | M] () -- E:\Copy of XXX.doc
[1 E:\*.tmp files -> E:\*.tmp -> ]

< E:\*. >
[2010/06/06 14:07:02 | 000,000,000 | -HSD | M] -- E:\FOUND.000
[2012/02/13 04:12:44 | 000,000,000 | -HSD | M] -- E:\XXXX
[2010/04/09 08:36:58 | 000,000,000 | -HSD | M] -- E:\XXXXX
[2012/03/02 07:28:00 | 000,000,000 | -HSD | M] -- E:\Work Stuff
[2008/10/15 10:47:58 | 000,000,000 | -HSD | M] -- E:\Clip

< End of report >

The ones for the scan *.* are what are visible, and the scan *. are the hidden ones i need. I can access the folders, but can't unhide them, and the work computers don't allow you to view hidden folders.

Actually, could i copy all the files into newly created folders in my HDD, format the USB and put them back on? Or could i be copying over the malware too?

ASJ112 · 13-10-2012 9:20pm

I'll try answer as many questions as possible then you can decide on what you want to do

But, after an hour, it kept finding the same autorun.inf file and never got round to actually deleting it.

This can be a legit file, we can remove it though if you want to. It will get remade by legit programs that need it

~WRL2386.tmp is a temp word document file, bootex.log is a legit file too

I can access the folders, but can't unhide them, and the work computers don't allow you to view hidden folders.

I'd run this program for that

http://www.bleepingcomputer.com/forums/topic405109.html

Actually, could i copy all the files into newly created folders in my HDD, format the USB and put them back on? Or could i be copying over the malware too?

That should be fine to do and safe. Best course of action too I'd say. Copy what you need and format it

Potential-Monke · 13-10-2012 9:30pm

Right, i'll go with the format route. Seems to be a strange bit of malware, there but not there and won't go away!

Thank you for all your help, i've got all the files back (that i'm aware of anyway, but most is better than none!). From reading the other threads, you deserve a medal and possibly some commission from OTL!

Thanks again!

Virus/Malware on USB

Comments