Infected with Malware and Mutiple Stealth Objects

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected with Malware and Mutiple Stealth Objects, Not sure how to fix

Options

tdm9183 View Member Profile	Oct 14 2009, 08:06 PM Post #1
New Member Group: Members Posts: 5 Joined: 14-October 09 Member No.: 390,086	I have Registry Hives that will not unload through Spy Bot SD(search & destroy). They re-appear when you restart the program. Its possible that this was a result of downloading software from the internet. I have my registry log from SpyBot SD where I noticed Startup Entries had been changed pointing to a file in my Docs. & Settings folder. I can only have CPU functionality booting in safe mode or SM with networking, still with many pop-ups. In normal boot mode you have to start explorer.exe through Task Manager, and the CPU is maxed out at 100% with explorer.exe using almost all resources. Nothing will open and there are many system errors. The only System Restore point is today's Date, and It has shanged the System Time & Date. Below, I have included my Registry Entries, DDS.txt, and Attach.txt. !!!!!!!!!!!!!!FROM SPYBOT SD REGISTRY LOG!!!!!!! Located: HK_CU:Run, A00F2AAEC.exe where: S-1-5-21-1659004503-963894560-1801674531-1007... command: C:\DOCUME~1\TROYDM~1\LOCALS~1\Temp\_A00F2AAEC.exe file: C:\DOCUME~1\TROYDM~1\LOCALS~1\Temp\_A00F2AAEC.exe size: 40448 MD5: 765CCDA3CC060C642FACAF7552CE68ED Located: WinLogon, __c007F03A command: C:\WINDOWS\system32\__c007F03A.dat file: C:\WINDOWS\system32\__c007F03A.dat size: 28160 MD5: 4B48D9496D35875B482C2A341EF6E2BD Located: WinLogon, crypt32chain command: crypt32.dll file: crypt32.dll size: 0 MD5: D41D8CD98F00B204E9800998ECF8427E Warning: if the file is actually larger than 0 bytes, the checksum could not be properly calculated! Located: WinLogon, cryptnet command: cryptnet.dll file: cryptnet.dll size: 0 MD5: D41D8CD98F00B204E9800998ECF8427E Warning: if the file is actually larger than 0 bytes, the checksum could not be properly calculated! !!!!!!!!!!!!!!!!!!!!!!!!!!DDS!!!!!!!!!!!!!!!!!!!!!!!!!!! DDS (Ver_09-10-13.01) - NTFSx86 NETWORK Run by Troy D Mobley at 19:07:21.25 on Wed 10/14/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.584 [GMT -4:00] AV: Norton Internet Security On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security enabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Troy D Mobley\My Documents\Downloads\dds(2).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [A00F2AAEC.exe] c:\docume~1\troydm~1\locals~1\temp\_A00F2AAEC.exe mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe" mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe" mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe" mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207014635794 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll Notify: ace4902b684 - c:\windows\system32\cryptnet32.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: __c007F03A - c:\windows\system32\__c007F03A.dat AppInit_DLLs: c:\windows\system32\cryptnet32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\troydm~1\applic~1\mozilla\firefox\profiles\erz876c0.default\ FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ============= SERVICES / DRIVERS =============== R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320] S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432] S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-16 329080] S2 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;c:\cfusionmx7\runtime\bin\jrunsvc.exe [2005-12-3 61440] S2 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;c:\cfusionmx7\db\slserver54\bin\swagent.exe "coldfusion mx 7 odbc agent" --> c:\cfusionmx7\db\slserver54\bin\swagent.exe ColdFusion MX 7 ODBC Agent [?] S2 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;c:\cfusionmx7\db\slserver54\bin\swstrtr.exe "coldfusion mx 7 odbc server" --> c:\cfusionmx7\db\slserver54\bin\swstrtr.exe ColdFusion MX 7 ODBC Server [?] S2 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;c:\cfusionmx7\verity\k2\_nti40\bin\k2admin.exe [2005-12-3 2732608] S2 gupdate1c9741bb9a14424;Google Update Service (gupdate1c9741bb9a14424);c:\program files\google\update\GoogleUpdate.exe [2009-1-11 133104] S2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-9 117640] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-19 24652] S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r75495\atixpgaa.sys [2009-1-28 11648] S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2007-9-7 513152] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448] S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\common files\intuit\fuse\service\Intuit Fuse Service.exe [2005-12-5 72704] S3 Ldafpero;Ldafpero; [x] S3 SNDP202;Dual Mode Camera 8008 VGA+;c:\windows\system32\drivers\sndp202.sys [2006-4-9 227072] S4 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?] =============== Created Last 30 ================ 2009-10-14 18:32 <DIR> --d----- C:\HJT 2009-10-14 18:22 25,600 a------- c:\windows\system32\__c002BD56.dat 2009-10-14 17:36 <DIR> --d----- c:\program files\Trend Micro 2009-10-14 17:24 25,600 a------- c:\windows\system32\__c007ABED.dat 2009-10-14 17:24 615 a------- c:\windows\system32\Axgpf.vbs 2009-10-01 23:21 28,160 -------- c:\windows\system32\apdhrjyj.kak 2009-09-30 13:22 0 a------- c:\windows\system32\2B.tmp 2009-09-30 13:22 0 a------- c:\windows\system32\2A.tmp 2009-09-30 12:25 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf 2009-09-29 22:48 28,160 -------- c:\windows\system32\__c007F03A.dat 2009-09-28 06:33 0 a------- c:\windows\system32\1752.tmp 2009-09-28 06:33 0 a------- c:\windows\system32\1751.tmp 2009-09-27 16:14 <DIR> --d----- c:\docume~1\troydm~1\applic~1\RGSystemFonts 2009-09-27 16:14 <DIR> --d----- c:\docume~1\troydm~1\applic~1\TagControl 2009-09-27 16:14 <DIR> --d----- c:\program files\Abander TagControl 2009-09-27 10:41 18,692 a------- c:\windows\GnuHashes.ini 2009-09-27 10:33 <DIR> --dsh--- c:\windows\system32\LocalService 2009-09-27 10:33 119,296 a------- c:\windows\system32\cryptnet32.dll ==================== Find3M ==================== 2009-10-14 17:23 1,651 a--sh--- c:\windows\system32\GroupPolicy000.dat 2009-09-09 18:26 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS 2009-09-09 18:26 60,808 a------- c:\windows\system32\S32EVNT1.DLL 2009-09-09 18:26 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT 2009-09-09 18:26 806 a------- c:\windows\system32\drivers\SYMEVENT.INF 2009-08-22 03:21 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2005-11-29 18:15 31,358,784 a------- c:\program files\NAV061200_2YR.exe 2008-12-09 07:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120920081210\index.dat ============= FINISH: 19:11:22.14 =============== Attached File(s) Attach.txt ( 11.33k ) Number of downloads: 0

Buckeye_Sam View Member Profile	Oct 15 2009, 10:15 AM Post #2
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process. Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM. Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. We need to create an OTL Report Please download OTL from here Save it to your desktop. Double click on the icon on your desktop. Click the "Scan All Users" checkbox. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\.exe %systemroot%\system32\eventlog.dll %systemroot%\system32\scecli.dll %systemroot%\netlogon.dll %systemroot%\system32\cngaudit.dll %systemroot%\system32\sceclt.dll %systemroot%\ntelogon.dll %systemroot%\system32\logevent.dll Click the "Quick Scan" button. The scan should take just a few minutes. Please copy and paste both logs back here in your next reply. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware.* Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

Buckeye_Sam View Member Profile	Oct 16 2009, 09:18 AM Post #4
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Please uninstall these programs: Viewpoint Media Player J2SE Runtime Environment 5.0 Update 6 ================ Run OTL.exe Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL O20 - Winlogon\Notify\ace4902b684: DllName - C:\WINDOWS\System32\cryptnet32.dll - C:\WINDOWS\System32\cryptnet32.dll File not found O20 - AppInit_DLLs: (C:\WINDOWS\System32\cryptnet32.dll) - C:\WINDOWS\System32\cryptnet32.dll File not found O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found. O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - No CLSID value found. :Files C:\WINDOWS\System32\FYiuX.vbs C:\WINDOWS\System32\.tmp C:\WINDOWS\.tmp :Commands [purity] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done You will get a log that shows the results of the fix. Please post it. Then also run and post a new OTL log. ===================== Please run a free online scan with the ESET Online Scanner *Note*: You will need to use Internet Explorer for this scan Tick the box next to YES, I accept the Terms of Use Click Start When asked, allow the ActiveX control to install Click Start Make sure that the options Remove found threats and the option Scan unwanted applications is checked Click Scan (This scan can take several hours, so please be patient) Once the scan is completed, you may close the window Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

tdm9183 View Member Profile	Oct 16 2009, 11:33 PM Post #5
New Member Group: Members Posts: 5 Joined: 14-October 09 Member No.: 390,086	All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ace4902b684\ not found. Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\System32\cryptnet32.dll scheduled to be deleted on reboot. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CA3D70E-1895-11CF-8E15-001234567890}\ not found. ========== FILES ========== C:\WINDOWS\System32\FYiuX.vbs moved successfully. C:\WINDOWS\System32\CONFIG.TMP moved successfully. C:\WINDOWS\System32\SET158.tmp moved successfully. C:\WINDOWS\System32\SET3B.tmp moved successfully. C:\WINDOWS\System32\SET54.tmp moved successfully. C:\WINDOWS\System32\SET60.tmp moved successfully. C:\WINDOWS\System32\SET69.tmp moved successfully. C:\WINDOWS\System32\SET6A.tmp moved successfully. C:\WINDOWS\System32\SET6B.tmp moved successfully. C:\WINDOWS\System32\SET6E.tmp moved successfully. C:\WINDOWS\System32\setb0.tmp moved successfully. C:\WINDOWS\System32\SETD.tmp moved successfully. C:\WINDOWS\003171_.tmp moved successfully. C:\WINDOWS\DUMP4371.tmp moved successfully. C:\WINDOWS\msdownld.tmp moved successfully. C:\WINDOWS\SET3.tmp moved successfully. C:\WINDOWS\SET4.tmp moved successfully. C:\WINDOWS\SET8.tmp moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Dick Lavoie ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 90470140 bytes ->Java cache emptied: 1537200 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 2969005 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 864898 bytes User: Rhonda Mobley ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 46450437 bytes User: T- Mob ->Temp folder emptied: 7976 bytes ->Temporary Internet Files folder emptied: 6779553 bytes User: Troy D Mobley ->Temp folder emptied: 15582429 bytes File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. ->Temporary Internet Files folder emptied: 76450984 bytes ->Java cache emptied: 24030554 bytes File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\XUL.mfl scheduled to be deleted on reboot. ->FireFox cache emptied: 48325990 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes File delete failed. C:\WINDOWS\temp\hsperfdata_SYSTEM\1968 scheduled to be deleted on reboot. Windows Temp folder emptied: 98787 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 299.07 mb OTL by OldTimer - Version 3.0.21.0 log created on 10162009_223729 Files\Folders moved on Reboot... C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\urlclassifier3.sqlite moved successfully. C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\Mozilla\Firefox\Profiles\erz876c0.default\XUL.mfl moved successfully. File\Folder C:\WINDOWS\temp\hsperfdata_SYSTEM\1968 not found! Registry entries deleted on Reboot... Registry delete failed. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\System32\cryptnet32.dll scheduled to be deleted on reboot. OTL logfile created on: 10/16/2009 10:49:22 PM - Run 3 OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\Troy D Mobley\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1023.21 Mb Total Physical Memory \| 699.68 Mb Available Physical Memory \| 68.38% Memory free 2.86 Gb Paging File \| 2.71 Gb Available in Paging File \| 94.77% Paging File free Paging file location(s): C:\pagefile.sys 2000 4000 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 74.49 Gb Total Space \| 42.07 Gb Free Space \| 56.48% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: XPSLAPTOP Current User Name: Troy D Mobley Logged in as Administrator. Current Boot Mode: SafeMode with Networking Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2009/10/15 18:40:34 \| 00,521,216 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Troy D Mobley\Desktop\OTL.exe PRC - [2009/08/24 16:15:03 \| 00,908,280 \| ---- \| M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2008/04/13 20:12:29 \| 00,069,120 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe PRC - [2008/04/13 20:12:19 \| 01,033,728 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE ========== Win32 Services (SafeList) ========== SRV - File not found -- -- (Ldafpero [On_Demand \| Stopped]) SRV - [2009/08/22 03:21:19 \| 00,117,640 \| R--- \| M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe -- (Norton Internet Security [Auto \| Stopped]) SRV - [2009/07/25 05:23:10 \| 00,153,376 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto \| Stopped]) SRV - [2009/02/12 22:32:03 \| 00,133,104 \| ---- \| M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9741bb9a14424 [Auto \| Stopped]) SRV - [2009/01/06 14:06:24 \| 00,536,872 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand \| Stopped]) SRV - [2008/11/10 13:23:50 \| 05,117,568 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [Auto \| Stopped]) SRV - [2008/11/10 13:23:42 \| 00,243,840 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand \| Stopped]) SRV - [2008/11/10 13:23:38 \| 00,060,032 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto \| Stopped]) SRV - [2008/11/07 15:28:16 \| 00,132,424 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto \| Stopped]) SRV - [2008/08/29 10:18:44 \| 00,238,888 \| ---- \| M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled \| Stopped]) SRV - [2008/07/29 21:10:04 \| 00,046,104 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand \| Stopped]) SRV - [2008/07/29 19:24:50 \| 00,881,664 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown \| Stopped]) SRV - [2008/07/29 19:16:38 \| 00,132,096 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled \| Stopped]) SRV - [2008/07/25 11:17:02 \| 00,069,632 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand \| Stopped]) SRV - [2008/07/25 11:16:40 \| 00,034,312 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand \| Stopped]) SRV - [2008/04/13 20:12:02 \| 00,038,400 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto \| Running]) SRV - [2007/07/13 17:51:25 \| 01,174,152 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC [Auto \| Stopped]) SRV - [2006/10/18 20:05:24 \| 00,913,408 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto \| Stopped]) SRV - [2006/06/29 13:12:34 \| 00,376,832 \| ---- \| M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe -- (NICCONFIGSVC [Auto \| Stopped]) SRV - [2005/12/19 10:08:30 \| 00,018,944 \| ---- \| M] () -- C:\WINDOWS\System32\wltrysvc.exe -- (WLTRYSVC [Disabled \| Stopped]) SRV - [2005/12/07 14:07:38 \| 00,072,704 \| ---- \| M] (Intuit) -- C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe -- (Intuit Fuse Service [On_Demand \| Stopped]) SRV - [2005/12/05 19:18:25 \| 00,072,704 \| ---- \| M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand \| Stopped]) SRV - [2005/12/02 16:51:14 \| 00,069,632 \| ---- \| M] (Macromedia) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service [On_Demand \| Stopped]) SRV - [2005/10/28 08:41:52 \| 00,491,520 \| ---- \| M] ( ) -- C:\WINDOWS\System32\dlcdcoms.exe -- (dlcd_device [Disabled \| Stopped]) SRV - [2005/09/09 18:06:43 \| 00,061,440 \| ---- \| M] (Macromedia Inc.) -- C:\CFusionMX7\runtime\bin\jrunsvc.exe -- (ColdFusion MX 7 Application Server [Auto \| Stopped]) SRV - [2005/06/29 11:16:36 \| 02,732,608 \| ---- \| M] (Verity, Inc.) -- C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe -- (ColdFusion MX 7 Search Server [Auto \| Stopped]) SRV - [2005/04/04 19:58:28 \| 00,163,840 \| ---- \| M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe -- (Adobe Version Cue CS2 [On_Demand \| Stopped]) SRV - [2003/12/22 17:42:06 \| 00,393,216 \| ---- \| M] () -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Disabled \| Stopped]) SRV - [2003/10/02 16:37:26 \| 00,118,853 \| ---- \| M] () -- C:\CFusionMX7\db\slserver54\bin\swstrtr.exe -- (ColdFusion MX 7 ODBC Server [Auto \| Stopped]) SRV - [2003/10/02 16:37:24 \| 00,733,253 \| ---- \| M] () -- C:\CFusionMX7\db\slserver54\bin\swagent.exe -- (ColdFusion MX 7 ODBC Agent [Auto \| Stopped]) SRV - [2003/07/28 13:28:22 \| 00,089,136 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand \| Stopped]) SRV - [2003/06/20 00:25:00 \| 00,322,120 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto \| Stopped]) SRV - [1999/12/12 13:01:00 \| 00,044,032 \| ---- \| M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.EXE -- (Creative Service for CDROM Access [Auto \| Stopped]) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 02 04 C3 05 6D 66 7D 49 89 0F 67 17 60 70 04 E7 [binary data] IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 02 04 C3 05 6D 66 7D 49 89 0F 67 17 60 70 04 E7 [binary data] IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 02 04 C3 05 6D 66 7D 49 89 0F 67 17 60 70 04 E7 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 02 04 C3 05 6D 66 7D 49 89 0F 67 17 60 70 04 E7 [binary data] IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8 IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 02 04 C3 05 6D 66 7D 49 89 0F 67 17 60 70 04 E7 [binary data] IE - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\S-1-5-21-1659004503-963894560-1801674531-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1 FF - prefs.js..extensions.enabledItems: {8545daff-ad1e-493f-a37e-eed1ac79682b}:1.0 FF - prefs.js..extensions.enabledItems: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC}:3.7 FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.11 FF - prefs.js..extensions.enabledItems: {e0fb9f6f-a5db-4809-8287-0c18860a8f7f}:1.0 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3 FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/05 22:41:22 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/11 21:02:07 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/30 21:18:29 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/16 22:02:48 \| 00,000,000 \| ---D \| M] [2009/09/30 21:18:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Extensions [2009/09/30 21:18:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/04/05 22:42:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Extensions\mozswing@mozswing.org [2009/10/16 22:35:47 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Firefox\Profiles\erz876c0.default\extensions [2009/10/01 16:24:59 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Firefox\Profiles\erz876c0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009/10/14 18:07:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Firefox\Profiles\erz876c0.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2009/10/15 16:52:59 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\mozilla\Firefox\Profiles\erz876c0.default\extensions\{e0fb9f6f-a5db-4809-8287-0c18860a8f7f} [2009/10/15 16:55:20 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions [2009/09/30 20:37:28 \| 00,000,000 \| ---D \| M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2009/08/24 16:15:25 \| 00,023,544 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll [2009/08/24 16:15:26 \| 00,137,208 \| ---- \| M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll [2009/08/24 16:15:27 \| 00,065,016 \| ---- \| M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll [2009/08/24 14:45:46 \| 00,001,394 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml [2009/08/24 14:45:46 \| 00,002,193 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml [2009/08/24 14:45:46 \| 00,001,534 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml [2009/08/24 14:45:46 \| 00,002,344 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml [2009/08/24 14:45:46 \| 00,002,371 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml [2009/09/30 20:39:25 \| 00,002,221 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\SafeSearch.xml [2009/08/24 14:45:46 \| 00,001,178 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml [2009/08/24 14:45:46 \| 00,000,792 \| ---- \| M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml O1 HOSTS File: (344967 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.123topsearch.com O1 - Hosts: 127.0.0.1 123topsearch.com O1 - Hosts: 127.0.0.1 www.132.com O1 - Hosts: 127.0.0.1 132.com O1 - Hosts: 127.0.0.1 www.136136.net O1 - Hosts: 127.0.0.1 136136.net O1 - Hosts: 127.0.0.1 www.163ns.com O1 - Hosts: 127.0.0.1 163ns.com O1 - Hosts: 11826 more lines... O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation) O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL (Symantec Corporation) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation) O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O3 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation) O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.) O4 - HKLM..\Run: [ClamWin] C:\Program Files\ClamWin\bin\ClamTray.exe (alch) O4 - HKLM..\Run: [dlcdmon.exe] C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe (Dell) O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.EXE (Logitech Inc.) O4 - HKLM..\Run: [KernelFaultCheck] File not found O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 944\memcard.exe () O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKLM..\RunOnce: [OTL] C:\Documents and Settings\Troy D Mobley\Desktop\OTL.exe (OldTimer Tools) O4 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007..\RunOnce: [SpybotDeletingB3392] C:\WINDOWS\System32\command.com () O4 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007..\RunOnce: [SpybotDeletingD271] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll (Sun Microsystems, Inc.) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\.DEFAULT\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-18\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5) O15 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class) O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab (QuickTime Object) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://active.macromedia.com/director/cabs/sw.cab (Shockwave ActiveX Control) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} Reg Error: Value error. (Scanner.SysScanner) O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} Reg Error: Value error. (MySpace Uploader Control) O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} http://www.slide.com/uploader/SlideImageUploader.cab (Slide Image Uploader Control) O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} Reg Error: Value error. (System Requirements Lab Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1207014635794 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} Reg Error: Value error. (Reg Error: Key error.) O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} Reg Error: Value error. (MySpace Uploader Control) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} Reg Error: Value error. (GpcContainer Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} Reg Error: Value error. (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation) O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-21-1659004503-963894560-1801674531-1007 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/11/29 17:28:33 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{0cba0afd-51f2-11dd-a458-000f1f0c02e6}\Shell - "" = AutoRun O33 - MountPoints2\{0cba0afd-51f2-11dd-a458-000f1f0c02e6}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{0cba0afd-51f2-11dd-a458-000f1f0c02e6}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{11c3710f-9da8-11de-a511-00904b760f6a}\Shell - "" = AutoRun O33 - MountPoints2\{11c3710f-9da8-11de-a511-00904b760f6a}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{11c3710f-9da8-11de-a511-00904b760f6a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O33 - MountPoints2\{61eb4a30-9151-11db-a283-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{61eb4a30-9151-11db-a283-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{61eb4a30-9151-11db-a283-00038a000015}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{61eb4a31-9151-11db-a283-00038a000015}\Shell\AutoRun\command - "" = H:\setupSNK.exe -- File not found O33 - MountPoints2\{75efeb14-76dc-11dc-a397-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{75efeb14-76dc-11dc-a397-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{75efeb14-76dc-11dc-a397-00038a000015}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found O33 - MountPoints2\{dee48666-3dfc-11dc-a351-00038a000015}\Shell\AutoRun\command - "" = G:\setupSNK.exe -- File not found O33 - MountPoints2\E\Shell - "" = AutoRun O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found O34 - HKLM BootExecute: (sprecovr) - File not found O34 - HKLM BootExecute: (\SystemRoot\sprecovr.txt) - C:\WINDOWS\sprecovr.txt File not found O35 - comfile [open] -- "%1" % File not found O35 - exefile [open] -- "%1" %* File not found ========== Files/Folders - Created Within 14 Days ========== [2009/10/15 17:11:58 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2009/10/16 22:11:03 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2009/10/15 17:12:06 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Troy D Mobley\Application Data\Malwarebytes [2009/10/16 22:27:22 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Troy D Mobley\Application Data\SUPERAntiSpyware.com [2009/10/15 00:27:38 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Common Files\ODBC [2009/10/15 17:11:57 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [2009/10/16 22:10:32 \| 00,000,000 \| ---D \| C] -- C:\Program Files\SUPERAntiSpyware [2009/10/14 17:36:01 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Trend Micro [2009/10/16 22:37:29 \| 00,000,000 \| ---D \| C] -- C:\_OTL [2009/10/16 22:11:33 \| 00,000,000 \| -HSD \| C] -- C:\Config.Msi [2009/10/15 18:40:33 \| 00,521,216 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Troy D Mobley\Desktop\OTL.exe [2009/10/15 17:11:59 \| 00,038,224 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/10/15 17:11:57 \| 00,019,160 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/10/15 17:10:16 \| 04,045,544 \| ---- \| C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Troy D Mobley\Desktop\mbam-setup.exe [2009/10/14 23:19:24 \| 00,000,000 \| ---D \| C] -- C:\VundoFix Backups [2009/10/14 19:38:41 \| 00,000,000 \| -H-D \| C] -- C:\WINDOWS\System32\GroupPolicy [2009/10/14 18:32:42 \| 00,000,000 \| ---D \| C] -- C:\HJT [2006/05/16 21:23:43 \| 00,638,976 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdpmui.dll [2006/05/16 21:23:41 \| 00,413,696 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdcomm.dll [2006/05/16 21:23:41 \| 00,114,688 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdpplc.dll [2006/05/16 21:23:40 \| 01,134,592 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdusb1.dll [2006/05/16 21:23:40 \| 00,483,328 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdlmpm.dll [2006/05/16 21:23:39 \| 00,774,144 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdhbn3.dll [2006/05/16 21:23:39 \| 00,155,648 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdprox.dll [2006/05/16 21:23:38 \| 01,183,744 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdserv.dll [2006/05/16 21:23:38 \| 00,704,512 \| ---- \| C] ( ) -- C:\WINDOWS\System32\dlcdcomc.dll [2006/04/29 06:07:48 \| 00,290,816 \| ---- \| C] ( ) -- C:\WINDOWS\System32\Interop.WMPLib.dll ========== Files - Modified Within 14 Days ========== [2009/10/16 22:46:19 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2009/10/16 22:45:40 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2009/10/16 22:20:03 \| 00,000,886 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2009/10/16 22:16:32 \| 00,000,236 \| ---- \| M] () -- C:\WINDOWS\tasks\OGALogon.job [2009/10/16 22:16:31 \| 00,000,882 \| ---- \| M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2009/10/16 22:16:17 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/10/16 22:10:47 \| 00,000,796 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2009/10/16 21:56:03 \| 00,528,758 \| ---- \| M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/10/16 21:56:03 \| 00,446,870 \| ---- \| M] () -- C:\WINDOWS\System32\perfh009.dat [2009/10/16 21:56:03 \| 00,072,606 \| ---- \| M] () -- C:\WINDOWS\System32\perfc009.dat [2009/10/16 21:47:57 \| 00,001,393 \| ---- \| M] () -- C:\WINDOWS\imsins.BAK [2009/10/15 18:40:34 \| 00,521,216 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Troy D Mobley\Desktop\OTL.exe [2009/10/15 17:12:02 \| 00,000,712 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/10/15 17:10:26 \| 04,045,544 \| ---- \| M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Troy D Mobley\Desktop\mbam-setup.exe [2009/10/15 17:08:56 \| 00,003,009 \| -HS- \| M] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684P.manifest [2009/10/15 16:53:03 \| 00,000,722 \| -HS- \| M] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684O.manifest [2009/10/15 16:49:24 \| 00,005,609 \| -HS- \| M] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684C.manifest [2009/10/15 16:48:55 \| 00,000,011 \| -HS- \| M] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684S.manifest [2009/10/15 00:42:32 \| 00,001,355 \| ---- \| M] () -- C:\WINDOWS\wininit.ini [2009/10/14 21:33:28 \| 00,344,967 \| R--- \| M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2009/10/14 17:36:02 \| 00,001,750 \| ---- \| M] () -- C:\Documents and Settings\Troy D Mobley\Desktop\HijackThis.lnk ========== Files - No Company Name ========== [2009/10/16 22:10:47 \| 00,000,796 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2009/10/15 17:12:02 \| 00,000,712 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2009/10/14 17:36:02 \| 00,001,750 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Desktop\HijackThis.lnk [2009/09/27 10:33:24 \| 00,005,609 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684C.manifest [2009/09/27 10:33:24 \| 00,000,722 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684O.manifest [2009/09/27 10:33:24 \| 00,000,011 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684S.manifest [2009/09/27 10:33:23 \| 00,003,009 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\02000000f4868d12684P.manifest [2009/08/03 15:07:42 \| 00,403,816 \| ---- \| C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/06/01 17:22:39 \| 00,003,012 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\ace4902b684P.manifest [2009/06/01 17:22:39 \| 00,001,858 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\ace4902b684C.manifest [2009/01/28 22:32:06 \| 00,000,004 \| -H-- \| C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare [2009/01/28 22:27:55 \| 00,757,760 \| ---- \| C] () -- C:\WINDOWS\System32\bcm1xsup.dll [2009/01/28 22:27:54 \| 00,086,016 \| ---- \| C] () -- C:\WINDOWS\System32\preflib.dll [2008/11/06 12:37:32 \| 03,596,288 \| ---- \| C] () -- C:\WINDOWS\System32\qt-dx331.dll [2008/11/06 12:34:00 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dtu100.dll.manifest [2008/11/06 12:34:00 \| 00,000,416 \| ---- \| C] () -- C:\WINDOWS\System32\dpl100.dll.manifest [2008/11/06 12:33:02 \| 00,012,288 \| ---- \| C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll [2008/07/22 22:13:06 \| 00,002,528 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\$_hpcst$.hpc [2008/02/07 00:17:30 \| 00,000,002 \| ---- \| C] () -- C:\WINDOWS\msoffice.ini [2007/12/27 22:31:22 \| 00,000,136 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\fusioncache.dat [2007/12/17 00:23:24 \| 00,001,024 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\WavCodec.wff [2007/07/05 18:40:19 \| 00,000,174 \| ---- \| C] () -- C:\WINDOWS\QUICKEN.INI [2007/06/04 23:09:30 \| 00,001,359 \| ---- \| C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache [2007/01/11 21:48:29 \| 00,169,984 \| ---- \| C] () -- C:\WINDOWS\System32\sablot.dll [2007/01/11 21:48:29 \| 00,072,704 \| ---- \| C] () -- C:\WINDOWS\System32\libexpat.dll [2006/05/16 21:24:21 \| 00,065,536 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdcfg.dll [2006/05/16 21:23:42 \| 00,155,648 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdins.dll [2006/05/16 21:23:42 \| 00,106,496 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdinsr.dll [2006/05/16 21:23:42 \| 00,040,960 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdvs.dll [2006/05/16 21:23:36 \| 00,430,080 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdutil.dll [2006/05/16 21:23:36 \| 00,073,728 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdcu.dll [2006/05/16 21:23:36 \| 00,036,864 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdcur.dll [2006/05/16 21:23:33 \| 00,176,128 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdinsb.dll [2006/05/16 21:23:33 \| 00,086,016 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdcub.dll [2006/05/16 21:23:31 \| 00,131,072 \| ---- \| C] () -- C:\WINDOWS\System32\dlcdjswr.dll [2006/05/11 22:58:30 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\OpPrintServer.INI [2006/04/18 19:22:33 \| 00,374,784 \| ---- \| C] () -- C:\WINDOWS\3dg32.dll [2006/04/16 16:21:26 \| 00,536,576 \| R--- \| C] () -- C:\WINDOWS\mcs_core.dll [2006/04/16 16:21:26 \| 00,147,456 \| R--- \| C] () -- C:\WINDOWS\mcs_vfw.dll [2006/04/16 16:21:20 \| 00,057,344 \| ---- \| C] () -- C:\WINDOWS\HAJEInstall.dll [2006/04/09 03:14:17 \| 00,000,052 \| ---- \| C] () -- C:\WINDOWS\Pex.INI [2006/04/09 03:01:09 \| 00,000,458 \| ---- \| C] () -- C:\WINDOWS\Ulead32.ini [2006/04/09 02:49:57 \| 00,339,872 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\gt892xv.sys [2006/04/09 02:49:57 \| 00,075,264 \| ---- \| C] () -- C:\WINDOWS\System32\gjpg.dll [2006/04/09 02:48:20 \| 00,286,720 \| ---- \| C] () -- C:\WINDOWS\System32\sndp2022.dll [2006/04/09 02:48:20 \| 00,278,528 \| ---- \| C] () -- C:\WINDOWS\System32\sndp2023.dll [2006/04/09 02:48:20 \| 00,045,056 \| ---- \| C] () -- C:\WINDOWS\System32\dsndp202.dll [2006/04/09 02:48:20 \| 00,015,598 \| ---- \| C] () -- C:\WINDOWS\sndp202.ini [2006/04/09 02:48:19 \| 00,227,072 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\sndp202.sys [2006/04/09 02:48:19 \| 00,036,864 \| ---- \| C] () -- C:\WINDOWS\System32\vsndp202.dll [2006/03/24 01:39:00 \| 00,000,051 \| ---- \| C] () -- C:\WINDOWS\mix-fx.ini [2006/03/05 23:53:20 \| 00,087,608 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2006/03/04 02:09:51 \| 00,053,693 \| R--- \| C] () -- C:\WINDOWS\UNDPX2A.sys [2006/02/28 21:06:52 \| 03,667,476 \| -H-- \| C] () -- C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\IconCache.db [2006/02/28 00:21:32 \| 00,188,416 \| ---- \| C] () -- C:\Documents and Settings\Troy D Mobley\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2006/02/27 22:36:48 \| 00,000,062 \| -HS- \| C] () -- C:\Documents and Settings\Troy D Mobley\Application Data\desktop.ini [2006/02/27 12:08:54 \| 00,002,427 \| ---- \| C] () -- C:\WINDOWS\Baswty05.ini [2006/02/27 12:08:22 \| 00,002,498 \| ---- \| C] () -- C:\WINDOWS\Baswty04.ini [2006/02/27 12:07:54 \| 00,003,489 \| ---- \| C] () -- C:\WINDOWS\Prowty05.ini [2005/12/19 19:22:58 \| 00,000,092 \| ---- \| C] () -- C:\WINDOWS\System32\ftdiun2k.ini [2005/12/08 20:12:35 \| 00,777,728 \| ---- \| C] () -- C:\WINDOWS\System32\SSLSVC.DLL [2005/12/08 20:12:35 \| 00,069,632 \| ---- \| C] () -- C:\WINDOWS\System32\xmltok.dll [2005/12/08 20:12:35 \| 00,040,960 \| ---- \| C] () -- C:\WINDOWS\System32\cfmsg.dll [2005/12/08 20:12:35 \| 00,036,864 \| ---- \| C] () -- C:\WINDOWS\System32\xmlparse.dll [2005/12/08 20:12:33 \| 00,114,688 \| ---- \| C] () -- C:\WINDOWS\System32\lang_cfml.dll [2005/12/08 20:12:33 \| 00,028,672 \| ---- \| C] () -- C:\WINDOWS\System32\xml_datagrove.dll [2005/12/07 14:40:01 \| 00,495,616 \| ---- \| C] () -- C:\WINDOWS\System32\Tx32.dll [2005/12/07 14:40:00 \| 00,000,260 \| ---- \| C] () -- C:\WINDOWS\System32\ic32.ini [2005/12/07 14:33:48 \| 00,000,103 \| ---- \| C] () -- C:\WINDOWS\ProTSKSCH05.INI [2005/12/07 14:17:03 \| 00,000,038 \| ---- \| C] () -- C:\WINDOWS\SelecPrd.INI [2005/12/01 14:38:40 \| 00,140,480 \| ---- \| C] () -- C:\WINDOWS\System32\CSGina.dll [2005/11/30 10:30:08 \| 00,000,672 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2005/11/30 10:09:12 \| 00,001,355 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2005/11/29 18:15:37 \| 31,358,784 \| ---- \| C] () -- C:\Program Files\NAV061200_2YR.exe [2005/11/29 17:52:49 \| 00,086,016 \| ---- \| C] () -- C:\WINDOWS\System32\ati2evxx.dll [2005/11/29 12:14:46 \| 00,000,062 \| -HS- \| C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini [2005/06/11 12:47:00 \| 00,045,056 \| ---- \| C] () -- C:\WINDOWS\System32\fpprintmon.dll [2005/02/03 21:59:44 \| 02,129,920 \| ---- \| C] () -- C:\WINDOWS\System32\myodbc3S.dll [2004/08/12 09:33:16 \| 00,001,020 \| ---- \| C] () -- C:\WINDOWS\win.ini [2004/08/12 09:30:36 \| 00,000,231 \| ---- \| C] () -- C:\WINDOWS\system.ini [2003/12/22 15:40:06 \| 01,663,068 \| ---- \| C] () -- C:\WINDOWS\System32\libmmd.dll [2003/11/20 17:39:58 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2003/01/07 16:05:08 \| 00,002,695 \| ---- \| C] () -- C:\WINDOWS\System32\OUTLPERF.INI [2002/04/01 19:45:50 \| 00,047,616 \| ---- \| C] () -- C:\WINDOWS\System32\ODBCMON.DLL ========== LOP Check ========== [2009/10/16 22:11:03 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\All Users\Application Data [2009/01/23 11:43:49 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} [2009/03/19 21:33:13 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\acccore [2008/02/06 23:43:37 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Autodesk [2009/06/09 22:17:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Avg7 [2009/03/04 20:56:41 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU [2009/01/28 22:31:19 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Dell [2009/06/09 22:16:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Grisoft [2007/07/05 18:40:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Intuit [2009/03/02 21:14:36 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\LogiShrd [2005/12/02 16:54:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Macrovision [2007/12/17 00:09:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound [2009/06/09 22:26:39 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Norton [2009/06/09 22:22:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller [2006/02/27 23:33:50 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle [2006/02/27 22:04:52 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks [2006/04/18 22:30:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc [2006/04/18 22:30:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems [2009/10/16 21:58:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2007/11/12 22:21:44 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2005/11/29 12:14:46 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\Default User\Application Data [2008/02/06 23:07:03 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\Dick Lavoie\Application Data [2006/01/16 11:03:49 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Dick Lavoie\Application Data\TextPad [2006/02/27 22:04:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Dick Lavoie\Application Data\You've Got Pictures Screensaver [2009/06/09 22:16:44 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\LocalService\Application Data [2009/02/22 19:40:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\NetworkService\Application Data [2008/02/06 23:07:04 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\Rhonda Mobley\Application Data [2006/03/08 21:37:34 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Rhonda Mobley\Application Data\Intuit [2009/10/16 22:10:32 \| 00,000,000 \| RH-D \| M] -- C:\Documents and Settings\T- Mob\Application Data [2008/01/22 13:43:58 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\T- Mob\Application Data\.clamwin [2008/01/22 14:46:18 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\T- Mob\Application Data\BearShare [2008/01/22 16:26:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\T- Mob\Application Data\CyberLink [2007/09/17 21:14:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\T- Mob\Application Data\Intuit [2009/10/16 22:27:22 \| 00,000,000 \| -H-D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data [2009/06/01 22:22:22 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\.clamwin [2009/03/19 21:37:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\acccore [2008/01/13 19:55:28 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Aquatica Azure [2007/02/10 19:30:17 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Autodesk [2008/10/01 18:42:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\BitZipper [2006/03/10 20:41:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\CyberLink [2009/02/10 23:46:16 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\DNA [2009/05/22 17:04:39 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\GARMIN [2007/07/05 18:41:29 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Intuit [2006/03/14 18:38:57 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Leadertech [2009/06/01 22:04:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\LimeWire [2006/03/14 18:53:42 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\NCH Swift Sound [2006/02/27 23:27:19 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\NetMedia Providers [2006/03/16 20:36:13 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Opera [2006/02/27 23:27:19 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Publish Providers [2006/03/14 18:53:41 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\RecordPad [2009/09/27 16:14:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\RGSystemFonts [2007/12/16 23:30:53 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Ringtone [2006/04/24 21:03:47 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\SmartDraw [2009/03/02 23:48:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Smith Micro [2009/09/27 19:23:14 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\TagControl [2006/04/23 19:09:21 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\TextPad [2006/04/09 03:15:14 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Thalia [2009/09/19 19:06:11 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\U3 [2006/04/16 16:27:35 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\Ulead Systems [2006/03/03 14:14:14 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Troy D Mobley\Application Data\You've Got Pictures Screensaver [2009/10/01 08:57:03 \| 00,000,284 \| ---- \| M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job [2004/08/12 09:23:47 \| 00,000,065 \| RH-- \| M] () -- C:\WINDOWS\Tasks\desktop.ini [2009/10/16 22:16:31 \| 00,000,882 \| ---- \| M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job [2009/10/16 22:20:03 \| 00,000,886 \| ---- \| M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job [2009/10/16 22:16:32 \| 00,000,236 \| ---- \| M] () -- C:\WINDOWS\Tasks\OGALogon.job [2009/10/16 22:16:17 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\Tasks\SA.DAT ========== Purity Check ========== < End of report > ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=7.00.6000.16827 (vista_gdr.090226-1506) # OnlineScanner.ocx=1.0.0.6208 # api_version=3.0.2 # EOSSerial=4e4e31715888284487d2f78c9bde8d1b # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-17 04:25:58 # local_time=2009-10-17 12:25:58 (-0500, Eastern Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 106322 106322 0 0 # compatibility_mode=2817 16777215 100 100 10053333 10917993 0 0 # compatibility_mode=3839 16777215 0 0 0 0 0 0 # compatibility_mode=4351 16777215 0 0 0 0 0 0 # compatibility_mode=5890 16777214 0 0 0 0 0 0 # compatibility_mode=8447 16777215 0 0 0 0 0 0 # compatibility_mode=9217 16777214 0 0 0 0 0 0 # scanned=142934 # found=3 # cleaned=3 # scan_time=4678 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Trend Micro\HijackThis\backups\backup-20091014-175951-213.dll a variant of Win32/Kryptik.AVM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\_OTL\MovedFiles\10162009_223729\WINDOWS\System32\FYiuX.vbs VBS/Disabler.NAB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Buckeye_Sam View Member Profile	Oct 17 2009, 07:34 AM Post #6
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Looks much better. How is your computer behaving now? Go ahead and reboot into normal mode and let me know what issues you are still having. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

tdm9183 View Member Profile	Oct 19 2009, 09:30 PM Post #7
New Member Group: Members Posts: 5 Joined: 14-October 09 Member No.: 390,086	I started in normal mode and command32.exe opened and ran also so did cmd.exe. Spybot picked up all the Registry entries and I allowed them to be deleted. (startup entries: command32.exe and cmd.exe, also the ace4902b684P.exe) It also said Windows Recovered from a Fatal Error, would you like to send a Error Report, then Blue Screened(crashed) with this message. "DRIVER_IRQL_NOT_LESS_OR_EQUAL STOP: 0x000000D1 ( 0x000004F0, 0x00000002, 0x00000000, 0xECC8E6DL) ADDRESS: ECC8E6DL bast at ECC6500 datestamp: 4AA0C1A8. Beginning dump of Physical Memory. After that I rebooted, Windows loaded normally, I attempted to uninstall some unwanted software and Windows said Windows Installer Service could not be accessed. This could happen if you are running Windows in SAFE MODE. So I updated the Windows Installer from Microsoft.com & rebooted and it provided no help. It seems Windows is stuck in SAFE MODE(including the classic style task bar which you cant change back to XP themes) without saying SAFE MODE in the corners. I have ran CheckDisk and these are the results: Checking file system on C: The type of the file system is NTFS. Volume label is Local Hard Drive. A disk check has been scheduled. Windows will now check the disk. Cleaning up minor inconsistencies on the drive. Cleaning up 2011 unused index entries from index $SII of file 0x9. Cleaning up 2011 unused index entries from index $SDH of file 0x9. Cleaning up 2011 unused security descriptors. CHKDSK is verifying Usn Journal... Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... Read failure with status 0xc000009c at offset 0xa25ca3000 for 0x10000 bytes. Read failure with status 0xc000009c at offset 0xa25ca5000 for 0x1000 bytes. Read failure with status 0xc000009c at offset 0xa25cf6000 for 0x10000 bytes. Read failure with status 0xc000009c at offset 0xa25cf7000 for 0x1000 bytes. Windows replaced bad clusters in file 106543 of name \RECYCLER\S-1-5-~2\Dc25\Comedy\DAVECH~1.MP4. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... Free space verification is complete. Adding 2 bad clusters to the Bad Clusters File. Correcting errors in the Volume Bitmap. Windows has made corrections to the file system. 78108029 KB total disk space. 26160644 KB in 117675 files. 45084 KB in 12826 indexes. 8 KB in bad sectors. 298213 KB in use by the system. 65536 KB occupied by the log file. 51604080 KB available on disk. 4096 bytes in each allocation unit. 19527007 total allocation units on disk. 12901020 allocation units available on disk. Internal Info: c0 72 03 00 d1 fd 01 00 c1 f6 02 00 00 00 00 00 .r.............. 8c 01 00 00 02 00 00 00 3a 10 00 00 00 00 00 00 ........:....... fc ad 9d 0d 00 00 00 00 96 95 bf 82 00 00 00 00 ................ 22 1a d0 2a 00 00 00 00 1a d5 14 51 05 00 00 00 "..*.......Q.... 18 6f 54 f7 04 00 00 00 ee 8b 1e 0c 0b 00 00 00 .oT............. 20 cb 26 ca 00 00 00 00 98 38 07 00 ab cb 01 00 .&......8...... 00 00 00 00 00 10 b8 3c 06 00 00 00 1a 32 00 00 .......<.....2.. Windows has finished checking your disk. Please wait while your computer restarts. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I'm trying to locate the Recovery CD and Format. I have saved all the files I wanted onto an external HD. And I'm ready to start from square one unless you have any suggestions. I thank you for your time very much. Troy

Buckeye_Sam View Member Profile	Oct 20 2009, 07:13 AM Post #8
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	You've definitely got some issues, although I don't think at this point they're related to malware. If you're ready for a format and clean install, here's an excellent guide to follow. http://web.mit.edu/ist/products/winxp/adva...all-format.html -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

tdm9183 View Member Profile	Oct 20 2009, 07:20 PM Post #9
New Member Group: Members Posts: 5 Joined: 14-October 09 Member No.: 390,086	Thank You very much for your time and dedication towards my issues. Sincerely, Troy

Buckeye_Sam View Member Profile	Oct 21 2009, 08:04 AM Post #10
Malware Expert Group: Malware Response Team Posts: 17,382 Joined: 23-December 04 From: Pickerington, Ohio Member No.: 7,762	Glad I could help. Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. -------------------- If I have helped you in any way, please consider a donation to help me continue the fight against malware. Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it! ========================================================

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 6th September 2010 - 04:34 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides