Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Open With dialog box for every application


  • This topic is locked This topic is locked
17 replies to this topic

#1 Colina_E

Colina_E

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 17 March 2010 - 08:08 PM

Hi there,

Thank you so much for this wonderful site.

I am writing this from a different computer than the one infected as I am not able to connect to the internet on the affected one which is my son's.

Original problem was the "XP Security Tool 2010 - Unregistered Version" screen, showing fake scanning of computer, messages that this file and that file were infected, not sure whether my son hit any links within the screen as I wasn't here. Other problems as a result: could not connect to the internet, received message stating that the program (iexplorer) did not exist. I went directly to the executable, still wouldn't run. I downloaded Malwarebytes and CCleaner from my laptop, ran a full scan, found 22 infected files, 20 were removed, needed a reboot to remove the rest, rebooted, would not reboot, had to turn computer back on manually. Booted to safe mode with networking, then ran Malwarebytes again, again 2 remaining files requiring reboot to remove (have since read here about the possible problems with Malwarebytes in safe mode), again computer turned off, but did not reboot, turned on manually. "XP Security Tool" screen is now gone, but cannot run any executable, either get the "Open With" dialog box or "Application not found" or "Contact your system Administrator". This applies to Help and Support, System in Control Panel, and all executables. I can get into Control Panel options in Safe Mode. Did try to rename mbam as suggested, no luck. Computer is not currently wired into home network, but I do have a laptop that I will use for communications with the forum.

I read the Preparation Guide and did download all suggested programs to a thumb drive from my laptop. I believe that Daemon tools is a drive mounting software (it's my son's computer and he's a gamer), so I tried running Dfogger, got the Open With dialog box. Was able to enable Firewall in Safe Mode but am not sure if it's still running when normally booted? Was able to run DDS tool and have attached what was required. Was not able to run gmer, received the Open With dialog box...arghhhh! I did try all this on a normal boot, not in Safe Mode.

DDS :


DDS (Ver_10-03-17.01) - NTFSx86
Run by Colina at 19:53:06.57 on Wed 03/17/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.577 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 100317-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
G:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.facebook.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo R380 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiboa.exe /fu "c:\windows\temp\E_S90.tmp" /EF "HKCU"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [gdf498gtudsigjnsod8guifjgfhfhf] c:\docume~1\colina~1.mom\locals~1\temp\txql36qk.exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\colina~1.mom\locals~1\temp\taskmgr.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\colina~1.mom\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: TruePass EPF 7,0,100,739 - hxxps://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136764566218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174061140203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-6 114768]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-1-8 138680]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-12-27 1373480]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-1-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-1-8 352920]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-21 135664]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S3 ZSMC302;USB(VGA) Camera;c:\windows\system32\drivers\usbvm302.sys --> c:\windows\system32\drivers\usbvm302.sys [?]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-03-16 16:17:44 54016 ----a-w- c:\windows\system32\drivers\egaovn.sys
2010-03-15 23:33:20 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-03-15 23:33:20 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-03-12 17:50:02 0 d-----w- c:\program files\uTorrent
2010-03-12 17:49:53 0 d-----w- c:\docume~1\colina~1.mom\applic~1\uTorrent
2010-03-10 22:07:37 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 21:35:41 754 ----a-w- c:\windows\WORDPAD.INI
2010-03-06 21:24:25 0 d-----w- c:\docume~1\colina~1.mom\applic~1\Xfire
2010-03-06 21:24:20 0 d-s---w- c:\program files\Xfire
2010-03-06 19:11:59 0 d-----w- c:\program files\Strategy First
2010-03-05 00:11:22 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-02-25 19:57:40 0 d-----w- C:\99a71776b4e3d169effa

==================== Find3M ====================

2010-03-08 00:01:29 11690 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-18 19:45:00 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2007-05-18 14:18:30 313 -c--a-w- c:\program files\INSTALL.LOG
2006-08-05 05:26:23 774144 -c--a-w- c:\program files\RngInterstitial.dll
2001-11-23 04:08:20 712704 -c--a-w- c:\windows\inf\other\AUDIO3D.DLL
2006-03-24 02:11:04 56 -csh--r- c:\windows\system32\247E3DFB35.sys
2008-02-21 00:36:01 168 --sh--r- c:\windows\system32\35FB3D7E24.sys
2008-08-23 13:57:51 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 19:54:09.71 ===============

Thank you and no worries over time, time away from his computer should teach my son how to be more cautious, LOL.

I will spend my time browsing the site. I'd love to learn how to help others.

Colina

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 20 March 2010 - 11:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 21 March 2010 - 02:00 PM

I am unable to run OTL, I receive the Open With dialog box. I tried running it from the desktop and from my thumb drive.

I am unable to connect to the internet via the affected machine. I am using a laptop and thumb drive.

I cannot open most programs, I receive the open with dialog box. I was able to run DDS. I have not used the computer since my original post. I scanned it as per instructions on this site then immediately turned the computer off.

My son originally had the Avast screen come up saying he had a virus, when he tried to "Move to Chest" he was told "Unable to move to chest", then screen mimicking Windows Firewall and Automatic Updates screen came up telling him that his firewall was off, so he tried to turn it on, then more screens came up doing fake scans and asking him for payment to download the software to remove it. He also had "XP Security Tool 2010 - Unregistered Version" screen pop up.

I booted to safe mode with networking and ran malwarebytes and ccleaner (will not run in normal mode). It removed 20 infected files, but could not remove 2 additional ones without rebooting, computer would not reboot, had to turn it on manually.

When it came back on, I couldn't run any programs, access Help and Support or programs in Control Panel.

Thank you for your help. I will follow your instructions to the letter.

Colina

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 21 March 2010 - 04:04 PM

Hi,

Please make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows

Then you should see the name otl.exe of the program I want you to run. Then rename the file to otl.com, you will get a prompt please press OK.

Let me know if you can then run a scan with the program.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 21 March 2010 - 07:37 PM

Hi Myrti,

Sorry - the Folder Options option is not available.

Colina

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 22 March 2010 - 04:01 PM

Hi,

ok, then please try to download this version of OTL: OTL.com and try to use it as instructed in my first post. Let me know if that works.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 22 March 2010 - 04:27 PM

Hi,

I'm not sure how to run the link you provided me? It came up with a new tab filled with code? What should I do with it?

Thanks Colina

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 22 March 2010 - 04:35 PM

Hi,

sorry, I should have been more specific. Please right-click the file and select save as and save the file as otl.com.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 22 March 2010 - 04:50 PM

Hi

I right clicked saved as. Gave me a document. Said it needed to be saved in Unicode to preserve the code, I changed the file type to Unicode, and the .txt to All Files, saved as OTL.com. It then showed up as a MS-DOS Application. I took that and put it on the thumb drive, put it in the infected machine. I double clicked the application and it very briefly gave me a black DOS screen, then it closed. I tried running it from both the thumb drive and the desktop of the infected PC. Feels like we are at least one step closer, :-).

Thanks, Colina

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 22 March 2010 - 04:52 PM

Hi,

at this point it may be easiest to run OTL from a live-cd. Do you have the possibility to download about 350Mb and burn it to CD or would you rather continue to try with OTL.com?

If you have the possibility to download the file please do the following:
Two programmes to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the programme, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to SafeList
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Let me know what you wish to do.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 22 March 2010 - 05:03 PM

Hi,

I am in the process of download the ISO file as suggested. Will post the results as soon as I'm done.

Colina

#12 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 22 March 2010 - 07:08 PM

Hi there,

Very cool software! I've googled it just for fun to learn about it!

1. Did not give me the option "Do you wish to load the remote registry", select Yes
2. Did give me the option # "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
3. Settings for Drivers was already set to "Use Safelist", as was Services, Standard Registry. Extra Registry was set to None.


Finally a successful scan:

OTL.txt

OTL logfile created on: 3/22/2010 7:59:33 PM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 807.00 Mb Available Physical Memory | 79.00% Memory free
906.00 Mb Paging File | 846.00 Mb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.69 Gb Total Space | 3.76 Gb Free Space | 4.91% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/01/04 14:03:42 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand] -- C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/08/17 12:07:17 | 000,138,680 | ---- | M] (ALWIL Software) [Auto] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/17 12:07:01 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/17 12:04:21 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 11:58:55 | 000,018,752 | ---- | M] (ALWIL Software) [Auto] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/11/30 00:37:27 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/09/16 13:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto] -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)
SRV - [2007/10/02 15:46:56 | 000,124,832 | ---- | M] () [Auto] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/09/07 12:16:18 | 001,373,480 | ---- | M] (Wacom Technology, Corp.) [Auto] -- C:\WINDOWS\system32\Pen_Tablet.exe -- (TabletServicePen)
SRV - [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/12/12 14:33:14 | 000,174,656 | ---- | M] () [Auto] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/04/18 05:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2003/03/09 22:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (ZSMC302) USB(VGA)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2009/09/18 14:42:19 | 000,721,904 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/08/17 12:06:43 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/08/17 12:05:52 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/08/17 12:05:37 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/08/17 12:04:40 | 000,051,376 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/08/17 12:04:29 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/08/17 12:03:21 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2008/08/14 08:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/02/16 12:12:36 | 000,011,312 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wacommousefilter.sys -- (wacommousefilter)
DRV - [2007/02/16 11:30:12 | 000,012,848 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wacomvhid.sys -- (wacomvhid)
DRV - [2007/02/15 17:11:28 | 000,011,440 | ---- | M] (Wacom Technology) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\WacomVKHid.sys -- (WacomVKHid)
DRV - [2006/11/01 06:01:56 | 000,003,328 | ---- | M] (Famatech International Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rminiv3.sys -- (mirrorv3)
DRV - [2005/10/28 17:06:00 | 003,532,000 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/11/22 18:36:39 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2004/08/04 01:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 13:28:02 | 000,907,456 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HCF_MSFT.sys -- (HCF_MSFT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.MOMSPC_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Colina.MOMS_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Colina.MOMS_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\Colina.MOMS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Colina.MOMS_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

IE - HKU\LocalService.NT_AUTHORITY_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService.NT_AUTHORITY_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0




O1 HOSTS File: ([2008/12/16 14:49:08 | 000,000,764 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Colina.MOMS_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\Colina.MOMS_ON_C..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\COLINA~1.MOM\LOCALS~1\Temp\taskmgr.exe File not found
O4 - HKU\Colina.MOMS_ON_C..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKU\Colina.MOMS_ON_C..\Run: [EPSON Stylus Photo R380 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\Colina.MOMS_ON_C..\Run: [gdf498gtudsigjnsod8guifjgfhfhf] C:\DOCUME~1\COLINA~1.MOM\LOCALS~1\Temp\txql36qk.exe File not found
O4 - HKU\Colina.MOMS_ON_C..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKU\Colina.MOMS_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\Colina.MOMS_ON_C..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Colina.MOMS\Start Menu\Programs\Startup\Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (Xfire Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.MOMSPC_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Colina.MOMS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Colina.MOMS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\Colina.MOMS_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\LocalService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService.NT_AUTHORITY_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (Checkers Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.0.cab (DownloadManager Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/Facebo...toUploader3.cab (Facebook Photo Uploader 4 Control)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebook.com/controls/Facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1136764566218 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1174061140203 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: TruePass EPF 7,0,100,739 https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab (Reg Error: Key error.)
O18 - Protocol\Handler\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/04/15 21:43:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/17 19:06:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Application Data\DAEMON Tools Lite
[2010/03/16 12:41:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Recent
[2010/03/16 11:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Application Data\Malwarebytes
[2010/03/16 10:58:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\Microsoft
[2010/03/16 10:58:37 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.MOMSPC\Application Data\Microsoft
[2010/03/16 10:58:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\SendTo
[2010/03/16 10:58:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Application Data
[2010/03/16 10:58:37 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Start Menu
[2010/03/16 10:58:37 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.MOMSPC\Cookies
[2010/03/16 10:58:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Templates
[2010/03/16 10:58:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\PrintHood
[2010/03/16 10:58:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\NetHood
[2010/03/16 10:58:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings
[2010/03/16 10:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\My Documents
[2010/03/16 10:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Favorites
[2010/03/16 10:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.MOMSPC\Desktop
[2010/03/15 19:33:20 | 000,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aec.sys
[2010/03/15 19:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\Windows Server
[2010/03/15 12:10:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Colina.MOMS\My Documents\Downloads
[2010/03/12 13:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2010/03/12 13:49:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Colina.MOMS\Application Data\uTorrent
[2010/03/10 18:07:37 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/06 19:31:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Xfire
[2010/03/06 17:31:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Xfire
[2010/03/06 17:24:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Colina.MOMS\Application Data\Xfire
[2010/03/06 17:24:20 | 000,000,000 | --SD | C] -- C:\Program Files\Xfire
[2010/03/06 15:11:59 | 000,000,000 | ---D | C] -- C:\Program Files\Strategy First
[2010/02/25 18:07:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\Temp
[2010/02/25 15:57:40 | 000,000,000 | ---D | C] -- C:\99a71776b4e3d169effa
[2010/02/21 02:07:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
[2010/02/21 02:03:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
[2006/08/05 01:26:35 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/22 20:01:51 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\NTUSER.DAT
[2010/03/22 18:42:19 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
[2010/03/22 18:42:19 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat
[2010/03/22 18:42:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/22 18:42:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/22 18:42:08 | 010,485,760 | ---- | M] () -- C:\Documents and Settings\Colina.MOMS\ntuser.dat
[2010/03/22 18:42:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Colina.MOMS\ntuser.ini
[2010/03/22 18:41:41 | 000,013,754 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/22 18:41:24 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/22 18:33:01 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/03/22 18:13:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/21 20:33:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\ntuser.ini
[2010/03/18 09:00:00 | 000,000,434 | ---- | M] () -- C:\WINDOWS\tasks\SyncBack My computer.job
[2010/03/16 12:44:18 | 000,105,088 | ---- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/16 12:44:18 | 000,017,960 | -HS- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\21mn5E
[2010/03/16 12:40:20 | 000,001,596 | ---- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\Desktop\CCleaner.lnk
[2010/03/16 12:40:01 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/16 12:36:02 | 000,017,952 | -HS- | M] () -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\21mn5E
[2010/03/16 12:17:44 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\egaovn.sys
[2010/03/16 11:00:01 | 000,005,632 | ---- | M] () -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/15 12:08:31 | 000,027,974 | ---- | M] () -- C:\Documents and Settings\Colina.MOMS\Desktop\Rome_Total_War_(including_Barbarian_Invasion___Alexander).4171388.TPB.torrent
[2010/03/15 11:46:47 | 000,444,336 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/15 11:46:47 | 000,072,020 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/15 11:46:46 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/07 20:01:29 | 000,011,690 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/03/07 18:41:38 | 002,133,594 | -H-- | M] () -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\IconCache.db
[2010/03/06 21:47:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/06 17:36:18 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/03/06 17:24:55 | 000,000,698 | ---- | M] () -- C:\Documents and Settings\Colina.MOMS\Start Menu\Programs\Startup\Xfire.lnk
[2010/03/04 20:11:22 | 000,041,872 | ---- | M] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/02/24 10:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/16 12:44:16 | 000,017,960 | -HS- | C] () -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\21mn5E
[2010/03/16 12:40:20 | 000,001,596 | ---- | C] () -- C:\Documents and Settings\Administrator.MOMSPC\Desktop\CCleaner.lnk
[2010/03/16 12:17:44 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\egaovn.sys
[2010/03/16 10:59:52 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Administrator.MOMSPC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/16 10:58:39 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.MOMSPC\ntuser.ini
[2010/03/16 10:58:37 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator.MOMSPC\NTUSER.DAT
[2010/03/15 19:29:20 | 000,017,952 | -HS- | C] () -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\21mn5E
[2010/03/15 12:08:24 | 000,027,974 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Desktop\Rome_Total_War_(including_Barbarian_Invasion___Alexander).4171388.TPB.torrent
[2010/03/06 17:35:41 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/03/06 17:24:55 | 000,000,698 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Start Menu\Programs\Startup\Xfire.lnk
[2010/03/04 20:11:22 | 000,041,872 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2010/02/21 02:02:53 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/21 02:02:53 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/12/29 20:14:48 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/12/16 17:11:55 | 000,000,035 | ---- | C] () -- C:\WINDOWS\WorldBuilder.INI
[2009/08/06 13:19:50 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/12/02 11:01:02 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Commands
[2008/12/02 11:00:59 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Common
[2008/11/28 21:47:46 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RBRegEx350.dll
[2008/11/28 21:47:46 | 000,061,952 | ---- | C] () -- C:\WINDOWS\System32\rbap350.dll
[2008/11/28 21:47:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\RBShell400.dll
[2008/11/28 21:47:46 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\LP0301Gestalt.dll
[2008/11/28 21:47:46 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\LP0301LinkFile.dll
[2008/11/28 21:47:45 | 000,067,072 | ---- | C] () -- C:\WINDOWS\System32\LP0310.dll
[2008/11/28 21:47:45 | 000,041,472 | ---- | C] () -- C:\WINDOWS\System32\MBSPlugin.DLL
[2008/11/28 21:47:45 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\MBSRegistryPlugin.DLL
[2008/11/28 21:47:45 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\MBSFolderPlugin.DLL
[2008/11/28 21:47:45 | 000,031,744 | ---- | C] () -- C:\WINDOWS\System32\MBSMacTTPlugin.DLL
[2008/11/28 21:47:45 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\MBSRegPlugin.DLL
[2008/11/28 21:47:45 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\LP0301ResFork.dll
[2008/11/07 16:02:59 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2008/10/07 12:28:55 | 000,013,009 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Comma Separated Values (DOS).CAL
[2008/08/27 22:50:28 | 000,000,076 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/09/14 18:16:36 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\fusioncache.dat
[2007/07/09 14:48:19 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/05/18 09:53:07 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2007/05/18 09:52:40 | 000,000,313 | ---- | C] () -- C:\Program Files\INSTALL.LOG
[2007/05/08 20:32:07 | 000,038,477 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Comma Separated Values (DOS).ADR
[2007/01/09 23:42:54 | 000,038,499 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Microsoft Excel.ADR
[2006/10/14 19:16:25 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2006/10/03 21:25:59 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2006/09/16 13:44:41 | 000,022,262 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\Microsoft Access.ADR
[2006/08/30 18:45:58 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/08/30 18:45:58 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/08/30 18:45:58 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/06/27 22:40:05 | 000,000,985 | ---- | C] () -- C:\WINDOWS\Aeditor.INI
[2006/06/27 22:39:43 | 000,000,299 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2006/06/27 22:15:35 | 000,000,014 | ---- | C] () -- C:\WINDOWS\dswplug.ini
[2006/06/12 20:46:58 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/06/12 20:43:36 | 000,000,048 | ---- | C] () -- C:\WINDOWS\EPSPictureMate.ini
[2006/04/19 12:59:15 | 000,000,394 | ---- | C] () -- C:\WINDOWS\capture.ini
[2006/03/05 04:33:30 | 000,000,168 | RHS- | C] () -- C:\WINDOWS\System32\35FB3D7E24.sys
[2006/02/24 00:14:40 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\247E3DFB35.sys
[2006/02/10 14:34:55 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2006/01/15 13:12:23 | 000,004,334 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Application Data\wklnhst.dat
[2006/01/10 18:27:48 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2006/01/10 18:27:48 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2006/01/10 15:25:55 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Colina.MOMS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/09 11:00:18 | 000,011,690 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/01/08 23:42:23 | 000,086,016 | R--- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/01/08 22:57:22 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006/01/08 22:57:21 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2006/01/08 22:57:21 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2006/01/08 22:57:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2006/01/08 22:57:13 | 000,031,746 | ---- | C] () -- C:\WINDOWS\System32\nkreg32.dll
[2006/01/08 22:57:13 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
[2006/01/08 22:49:26 | 000,002,606 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/01/08 22:49:23 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/01/08 21:12:09 | 000,000,478 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/28 17:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/10/28 17:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/10/28 17:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/10/28 17:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/10/28 17:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/10/28 17:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/03/09 22:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2008/10/09 15:48:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2008/11/02 15:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\com.adobe.px.Uploader.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1
[2009/09/18 15:02:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\DAEMON Tools Lite
[2007/12/06 16:50:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\DisplayTune
[2008/12/16 18:45:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Flickr
[2006/02/10 14:30:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\InterTrust
[2009/01/19 13:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\iWin
[2006/01/09 10:57:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Jasc
[2006/06/12 20:50:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Leadertech
[2009/07/31 15:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\LumaPix
[2009/12/16 18:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\My Battle for Middle-earth™ II Files
[2006/10/20 17:46:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Netscape
[2008/12/02 11:01:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Nikon
[2008/11/19 21:48:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\onOne Software
[2006/06/27 16:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Opera
[2008/02/21 15:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Pantone
[2006/01/09 17:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Pixmantec
[2007/07/05 18:21:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Simple Star
[2006/01/16 14:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Template
[2006/06/27 22:32:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\Ulead Systems
[2010/03/16 10:39:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\uTorrent
[2009/01/06 17:57:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\WildTangent
[2009/01/16 20:06:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Colina.MOMS\Application Data\yoclient
[2010/03/17 19:06:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.MOMSPC\Application Data\DAEMON Tools Lite
[2008/04/22 18:10:57 | 000,000,344 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1184784037.job
[2010/03/22 18:33:01 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/03/18 09:00:00 | 000,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\SyncBack My computer.job

========== Purity Check ==========


< End of report >




#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 24 March 2010 - 03:51 PM

Hi,

ok, please boot normally again and download FixExe.reg.
It should look like this ->
Doubleclick fixExe.reg, when a window pops up and ask if this information should be merged, press Yes and ok.

Reboot and let me know if you can open programms now.

regards myrti

Edited by myrti, 24 March 2010 - 03:52 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Colina_E

Colina_E
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 25 March 2010 - 04:33 PM

Hi,

I removed the CD, booted normally, tried to run fixexe.reg, received a message: "Registry editing has been disabled by your administrator"

Colina

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:03 PM

Posted 27 March 2010 - 11:46 AM

Hi,

please try running rkill then:
Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users