Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mebroot.mbr, and perhaps more


  • This topic is locked This topic is locked
13 replies to this topic

#1 nemsawy

nemsawy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 23 May 2010 - 09:50 AM

Hi! I've had this one for about a week or so now, and it's just inviting more of it's buddies in. I dealt with a couple of avsofts, but I've been reluctant to use fixmbr in the recovery console because I read that I could lose virtually all my files. Hijackthis has also reported that it has been denied access to the Hosts file, so there may be more lurking around. So here I am, humbly requesting assistance.

As per the preperation guide, I've used DeFogger.

DDS has declared that it doesn't work in my OS (XP x64).

I have a gmer log, but most checkboxes were greyed out. "Services", "Registry", "Files" and "ADS" were the only ones I could check. Also, only "C:\" was checked, as requested. Attached File  GMER_log.log   4.35KB   7 downloads

Thank you!

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 25 May 2010 - 09:26 PM

Hello, nemsawy.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to create an OTL report
  1. Please download OTL
  2. Save it to your desktop.
  3. Double click on the OTL icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the Run Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply, please include the following:
  • OTL.txt
  • Extra.txt

Edited by aommaster, 25 May 2010 - 09:27 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 nemsawy

nemsawy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 25 May 2010 - 09:48 PM

Thank you for replying, aommaster.

I've run OTL like you've asked, and checked "Scan all users", but it only gave me OTL.txt, and no Extra

Here it is:


OTL logfile created on: 5/25/2010 10:38:53 PM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 30.00 Gb Total Space | 1.15 Gb Free Space | 3.83% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 9.70 Gb Free Space | 9.94% Space Free | Partition Type: NTFS
Drive E: | 21.40 Gb Total Space | 16.71 Gb Free Space | 78.11% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPUTERNAME
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/19 19:41:48 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/05/07 14:33:10 | 001,809,680 | ---- | M] (Orbitdownloader.com) -- C:\Program Files (x86)\Orbitdownloader\orbitdm.exe
PRC - [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/12/03 09:54:40 | 000,557,056 | ---- | M] (Orbitdownloader.com) -- C:\Program Files (x86)\Orbitdownloader\orbitnet.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/03/13 17:49:56 | 000,472,320 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2007/08/08 10:25:08 | 000,836,904 | ---- | M] (Nero AG) -- D:\Program Files\Nero 8\Nero BackItUp\NBService.exe
PRC - [2007/08/03 13:51:18 | 001,422,632 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/08/03 13:51:06 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2007/02/18 07:05:40 | 001,681,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2007/01/19 13:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/18 07:05:42 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\msscript.ocx
MOD - [2007/02/18 07:05:38 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\MSCTFIME.IME
MOD - [2007/02/18 07:05:22 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comres.dll
MOD - [2007/02/18 07:05:22 | 000,273,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comdlg32.dll
MOD - [2007/02/17 01:58:24 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\wow64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5FA17F4E\comctl32.dll
MOD - [2005/03/25 00:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/03/13 17:55:30 | 000,021,760 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV:64bit: - [2008/03/13 17:49:56 | 000,472,320 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2006/11/03 20:36:20 | 000,014,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2010/05/23 07:16:36 | 000,075,264 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SysWOW64\f3a3a069.exe -- (MSWU-f3a3a069)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/25 10:13:48 | 000,093,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2008/07/25 10:13:44 | 000,046,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/05/30 12:32:16 | 000,572,416 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/08/08 10:25:08 | 000,836,904 | ---- | M] (Nero AG) [Auto | Running] -- D:\Program Files\Nero 8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2007/02/16 20:44:20 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/01/19 13:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/10/18 20:05:24 | 000,913,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2005/03/25 00:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\iasrecst.dll -- (IASJet)


========== Driver Services (SafeList) ==========

DRV - [2009/03/18 05:16:15 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\Program Files\RivaTuner v2.24\RivaTuner64.sys -- (RivaTuner64)
DRV - [2007/12/01 11:07:13 | 000,086,016 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SysWOW64\mdmxsdk.dll -- (mdmxsdk)
DRV - [2007/01/12 11:55:00 | 000,013,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\U-ABIT\FlashMenu\WinFlash64.sys -- (WINFLASH)
DRV - [2005/03/25 00:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWOW64\mnmdd.dll -- (mnmdd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://ca.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.9.1
FF - prefs.js..extensions.enabledItems: anttoolbar@ant.com:2.0.1
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {a6e4a4eb-d169-4e99-8988-250fcbafe767}:2.5.6.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..extensions.enabledItems: OpenXMLViewer@Codeplex.com:1.0.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.94
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: yamlitoolbar@yamli.com:1.0.6
FF - prefs.js..keyword.URL: "http://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/05/18 16:38:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/05/19 16:15:29 | 000,000,000 | ---D | M]

[2010/04/12 17:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/04/12 17:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/18 02:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions
[2010/04/28 05:32:01 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/28 05:32:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/05 01:30:26 | 000,000,000 | ---D | M] (Mega Manager Integration) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
[2010/04/02 12:18:43 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/03/05 01:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
[2009/02/17 00:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{9DA9C4D2-7C4F-4336-8DD7-4DFF13E3B8C7}
[2009/02/18 10:05:47 | 000,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2010/04/02 12:18:41 | 000,000,000 | ---D | M] (isoHunt Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}
[2009/03/06 16:26:51 | 000,000,000 | ---D | M] (XE.com Universal Currency Converter ) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{d176c86a-1eac-2cce-1757-bc0dbc6c526c}
[2010/04/02 12:18:42 | 000,000,000 | ---D | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2010/04/16 04:51:15 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/02 12:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\anttoolbar@ant.com
[2008/08/19 18:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\bkmrksync@nokia.com
[2008/08/20 03:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\imagedownload@whygudu.iblog.cn
[2009/02/18 17:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\OpenXMLViewer@Codeplex.com
[2010/04/04 18:58:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\yamlitoolbar@yamli.com
[2009/05/11 12:33:51 | 000,002,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\uncyclopedia-en.xml
[2010/04/29 10:38:21 | 000,000,713 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\webster.xml
[2010/04/29 10:26:42 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\wiktionary-en.xml
[2010/05/24 13:32:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2008/07/23 12:48:04 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcm80.dll
[2008/07/23 12:48:04 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcp80.dll
[2008/07/23 12:48:06 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcr80.dll

Hosts file not found
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3149585442-3551977217-521807796-500\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [AlcWzrd] C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [KernelFaultCheck] File not found
O4:64bit: - HKLM..\Run: [MSPY2002] C:\WINDOWS\SysNative\IME\PINTLGNT\ImScInst.exe File not found
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\SysNative\NvCpl.DLL File not found
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\SysNative\NvMcTray.DLL File not found
O4:64bit: - HKLM..\Run: [nwiz] File not found
O4:64bit: - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found
O4:64bit: - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found
O4:64bit: - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Emurayden PSX Emulator] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] D:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [] File not found
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [cdloader] C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-18..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk = C:\Program Files (x86)\Orbitdownloader\orbitdm.exe (Orbitdownloader.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O9:64bit: - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysNative\wiascr.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\SysNative\logonui.exe File not found
O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (lsass.exe) - File not found
O20:64bit: - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found
O20:64bit: - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20:64bit: - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found
O20:64bit: - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - File not found
O20:64bit: - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20:64bit: - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20:64bit: - Winlogon\Notify\termsrv: DllName - Reg Error: Value error. - File not found
O20:64bit: - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysNative\stobject.dll File not found
O21:64bit: - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SysNative\WPDShServiceObj.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28:64bit: - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/19 04:46:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/24 13:49:54 | 000,208,896 | ---- | C] (www.mp3dev.org) -- C:\Documents and Settings\Administrator\Desktop\lame_enc.dll
[2010/05/24 13:46:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Audacity
[2010/05/24 13:32:21 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\SysWow64\TTADSSplitter.ax
[2010/05/24 13:32:21 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\SysWow64\TTADSDecoder.ax
[2010/05/24 13:32:20 | 000,092,672 | RHS- | C] (RadLight) -- C:\WINDOWS\SysWow64\RLVorbisDec.ax
[2010/05/24 13:32:20 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\WINDOWS\SysWow64\RLTheoraDec.ax
[2010/05/24 13:32:19 | 000,186,880 | RHS- | C] (RadLight) -- C:\WINDOWS\SysWow64\RLOgg.ax
[2010/05/24 13:32:15 | 000,161,792 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\RealMediaDX.ax
[2010/05/24 13:32:12 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\WINDOWS\SysWow64\nbDX.dll
[2010/05/24 13:32:11 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\WINDOWS\SysWow64\msfDX.dll
[2010/05/24 13:32:09 | 000,169,472 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\MatroskaDX.ax
[2010/05/24 13:32:08 | 000,163,328 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\flvDX.dll
[2010/05/24 13:32:06 | 000,179,200 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\DiracSplitter.ax
[2010/05/24 13:32:05 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\WINDOWS\SysWow64\AVCDX.ax
[2010/05/24 13:30:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\eRightSoft
[2010/05/24 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AviSynth 2.5
[2010/05/23 07:55:55 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/23 07:21:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSMHE
[2010/05/23 07:19:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\fa9e0c2
[2010/05/23 03:47:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\nullDC
[2010/05/23 02:28:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Romcenter
[2010/05/23 02:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\romcenter
[2010/05/21 00:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fnafrvgrn
[2010/05/19 19:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2010/05/19 19:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/05/19 19:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Deployment
[2010/05/19 16:08:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/19 16:08:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/05/18 16:20:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/05/18 06:56:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Alcohol Soft
[2010/05/14 19:11:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/14 02:16:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/05/14 02:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/13 00:47:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/13 00:46:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys
[2010/05/13 00:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/05/13 00:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/12 08:08:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Orbitdownloader
[2010/05/03 14:07:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Help
[2010/05/03 14:04:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Power Psx Tools GUI
[2010/04/30 17:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Tekken 3 Music
[2010/04/30 17:38:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Easy CD-DA Extractor
[2010/04/30 17:38:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Easy CD-DA Extractor
[2010/04/30 17:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Easy CD-DA Extractor 2010
[2010/04/30 13:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\388A26B9B1D42D0A5A214C94C07E5D21
[2010/04/29 12:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2010/04/26 02:18:14 | 000,000,000 | ---D | C] -- C:\Better Off Ted
[6 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 21:46:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500UA.job
[2010/05/25 19:46:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500Core.job
[2010/05/25 14:35:41 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/25 13:50:58 | 000,071,168 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Withdrawal.doc
[2010/05/25 13:30:18 | 013,107,200 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/25 13:01:14 | 000,187,612 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cp13-eng.pdf
[2010/05/25 13:00:17 | 000,210,251 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cp14-eng.pdf
[2010/05/25 02:02:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/24 13:46:22 | 000,000,660 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Audacity.lnk
[2010/05/24 13:33:23 | 003,029,668 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\14 Desert.mp3
[2010/05/24 13:32:21 | 000,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER Uninstall.lnk
[2010/05/24 13:32:21 | 000,001,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER .lnk
[2010/05/24 13:10:46 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/24 11:56:10 | 080,983,388 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garou (1).zip
[2010/05/23 11:04:41 | 000,001,596 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
[2010/05/23 10:33:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/23 10:33:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/23 10:31:12 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/23 08:36:29 | 000,002,581 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\nullDC v1.0.0 Beta 1.lnk
[2010/05/23 08:00:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\SysWow64\d3d9caps.dat
[2010/05/23 07:48:15 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MalwareBytes Anti-Malware.exe.lnk
[2010/05/23 07:16:41 | 000,176,128 | ---- | M] () -- C:\WINDOWS\Vbafaa.exe
[2010/05/23 07:16:36 | 000,075,264 | ---- | M] () -- C:\WINDOWS\SysWow64\f3a3a069.exe
[2010/05/23 02:38:52 | 004,239,112 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/05/23 02:28:47 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RomCenter.lnk
[2010/05/23 01:38:48 | 038,425,374 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garoup.zip
[2010/05/23 01:35:03 | 023,191,633 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garoun.zip
[2010/05/23 01:11:10 | 038,576,533 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garou.zip
[2010/05/21 09:10:45 | 000,001,028 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\magicJack.lnk
[2010/05/21 00:48:46 | 000,000,098 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/21 00:13:19 | 000,059,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/05/19 19:43:44 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/05/19 16:08:50 | 000,000,430 | RHS- | M] () -- C:\boot.ini
[2010/05/19 16:03:56 | 000,000,327 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml
[2010/05/19 16:01:20 | 000,000,430 | RHS- | M] () -- C:\Boot.BAK
[2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/18 16:39:01 | 000,001,656 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/18 16:12:00 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/05/14 02:37:38 | 000,000,371 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/05/14 02:16:27 | 000,000,975 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/14 01:58:31 | 000,131,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 Memory.mem
[2010/05/13 00:40:38 | 133,003,832 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Old Registry.reg
[2010/05/12 08:08:13 | 000,000,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Orbit.lnk
[2010/05/03 16:31:19 | 474,677,721 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 [By Diabolicus].rar
[2010/04/30 17:38:05 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Easy CD-DA Extractor.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys
[2010/04/28 06:00:52 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\ntuser.dat
[2010/04/27 08:00:05 | 366,700,282 | ---- | M] () -- C:\Chuck.S03E14.HDTV.XviD-LOL.avi
[6 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/25 13:01:13 | 000,187,612 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\cp13-eng.pdf
[2010/05/25 13:00:17 | 000,210,251 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\cp14-eng.pdf
[2010/05/24 13:46:22 | 000,000,660 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Audacity.lnk
[2010/05/24 13:33:22 | 003,029,668 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\14 Desert.mp3
[2010/05/24 13:32:21 | 000,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER Uninstall.lnk
[2010/05/24 13:32:21 | 000,001,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER .lnk
[2010/05/24 13:32:20 | 000,051,712 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLSpeexDec.ax
[2010/05/24 13:32:17 | 000,107,520 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLMPCDec.ax
[2010/05/24 13:32:16 | 000,070,656 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLAPEDec.ax
[2010/05/24 13:32:09 | 000,120,832 | RHS- | C] () -- C:\WINDOWS\SysWow64\MPCDx.ax
[2010/05/24 13:32:06 | 000,097,280 | RHS- | C] () -- C:\WINDOWS\SysWow64\FLACDX.ax
[2010/05/24 13:32:05 | 000,175,104 | RHS- | C] () -- C:\WINDOWS\SysWow64\CoreAAC.ax
[2010/05/24 13:32:04 | 000,081,920 | RHS- | C] () -- C:\WINDOWS\SysWow64\aac_parser.ax
[2010/05/24 11:53:48 | 080,983,388 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garou (1).zip
[2010/05/23 10:31:11 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_disable.log
[2010/05/23 10:31:11 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/23 08:00:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\SysWow64\d3d9caps.dat
[2010/05/23 07:16:51 | 000,176,128 | ---- | C] () -- C:\WINDOWS\Vbafaa.exe
[2010/05/23 07:16:39 | 000,075,264 | ---- | C] () -- C:\WINDOWS\SysWow64\f3a3a069.exe
[2010/05/23 03:47:47 | 000,002,581 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\nullDC v1.0.0 Beta 1.lnk
[2010/05/23 02:28:47 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RomCenter.lnk
[2010/05/23 01:37:19 | 038,425,374 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garoup.zip
[2010/05/23 01:33:58 | 023,191,633 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garoun.zip
[2010/05/23 01:05:22 | 038,576,533 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garou.zip
[2010/05/21 00:13:18 | 000,059,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/05/19 19:43:44 | 000,002,344 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/05/19 19:43:30 | 000,001,596 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
[2010/05/19 19:41:51 | 000,001,010 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500UA.job
[2010/05/19 19:41:51 | 000,000,958 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500Core.job
[2010/05/18 07:00:56 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml
[2010/05/18 07:00:15 | 000,300,144 | RHS- | C] () -- C:\cmldr
[2010/05/14 02:37:36 | 000,000,371 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/14 02:16:27 | 000,000,975 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/13 00:47:00 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MalwareBytes Anti-Malware.exe.lnk
[2010/05/13 00:40:26 | 133,003,832 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Old Registry.reg
[2010/05/12 12:42:05 | 000,131,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 Memory.mem
[2010/05/12 08:08:13 | 000,000,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Orbit.lnk
[2010/05/03 16:31:19 | 474,677,721 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 [By Diabolicus].rar
[2010/04/30 17:38:05 | 000,001,676 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Easy CD-DA Extractor.lnk
[2010/04/28 06:00:52 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2010/04/28 06:00:52 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2010/04/27 08:00:06 | 366,700,282 | ---- | C] () -- C:\Chuck.S03E14.HDTV.XviD-LOL.avi
[2009/09/11 03:20:29 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SysWow64\MF.dll
[2009/08/07 19:51:34 | 000,178,430 | ---- | C] () -- C:\WINDOWS\SysWow64\xlive.dll.cat
[2009/03/25 16:19:45 | 000,541,752 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2009/03/05 01:59:22 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2009/03/03 06:58:24 | 000,044,646 | ---- | C] () -- C:\WINDOWS\SysWow64\FlashMenu.sys
[2009/03/03 06:49:12 | 000,013,632 | ---- | C] () -- C:\WINDOWS\SysWow64\drivers\WinFlash64.sys
[2009/01/30 07:08:05 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/01/30 07:08:04 | 000,047,616 | ---- | C] () -- C:\WINDOWS\SysWow64\pdf995mon64.dll
[2009/01/28 11:49:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/28 11:40:43 | 000,002,623 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/12/22 03:42:47 | 000,000,015 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2008/10/07 06:01:40 | 000,027,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AVSredirect.dll
[2008/08/30 08:21:00 | 000,044,544 | ---- | C] () -- C:\WINDOWS\SysWow64\Gif89.dll
[2008/08/21 03:33:43 | 000,164,352 | ---- | C] () -- C:\WINDOWS\SysWow64\unrar.dll
[2008/08/21 03:33:36 | 000,755,027 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidcore.dll
[2008/08/21 03:33:36 | 000,612,864 | ---- | C] () -- C:\WINDOWS\SysWow64\x264vfw.dll
[2008/08/21 03:33:36 | 000,159,839 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidvfw.dll
[2008/08/21 03:33:28 | 000,007,680 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll
[2008/08/21 03:33:28 | 000,000,547 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll.manifest
[2008/07/23 12:50:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\SysWow64\qt-dx331.dll
[2007/10/04 04:14:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\SysWow64\nview.dll
[2007/10/04 04:14:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\SysWow64\nvwimg.dll
[2007/03/29 23:00:40 | 000,203,264 | R--- | C] () -- C:\WINDOWS\SysWow64\CddbCdda.dll
[2007/02/18 07:05:48 | 000,276,992 | ---- | C] () -- C:\WINDOWS\SysWow64\sbe.dll
[2007/02/18 07:05:46 | 001,278,464 | ---- | C] () -- C:\WINDOWS\SysWow64\quartz.dll
[2007/02/18 07:05:46 | 000,512,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qedit.dll
[2007/02/18 07:05:46 | 000,385,536 | ---- | C] () -- C:\WINDOWS\SysWow64\qdvd.dll
[2007/02/18 07:05:46 | 000,279,040 | ---- | C] () -- C:\WINDOWS\SysWow64\qdv.dll
[2007/02/18 07:05:46 | 000,192,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qcap.dll
[2007/02/18 07:05:34 | 000,062,464 | ---- | C] () -- C:\WINDOWS\SysWow64\mciqtz32.dll
[2007/02/18 07:05:28 | 000,396,288 | ---- | C] () -- C:\WINDOWS\SysWow64\encdec.dll
[2007/02/18 07:05:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\SysWow64\devenum.dll
[2007/02/18 07:05:20 | 000,072,704 | ---- | C] () -- C:\WINDOWS\SysWow64\amstream.dll
[2005/03/25 00:00:00 | 000,733,696 | ---- | C] () -- C:\WINDOWS\SysWow64\qedwipes.dll
[2005/03/25 00:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\SysWow64\dxmasf.dll
[2005/03/25 00:00:00 | 000,355,112 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll
[2005/03/25 00:00:00 | 000,199,168 | ---- | C] () -- C:\WINDOWS\SysWow64\ir32_32.dll
[2005/03/25 00:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\SysWow64\msencode.dll
[2005/03/25 00:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\SysWow64\tsd32.dll
[2005/03/25 00:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\SysWow64\msdmo.dll
[2005/03/25 00:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\SysWow64\msdxmlc.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE406C3E
< End of report >


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 25 May 2010 - 10:03 PM

Hello, nemsawy.
No problem smile.gif

Could you please describe what problems you are having?
We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to run HostXpert
  1. Download HostsXpert.zip
  2. Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  3. Double-click HostsXpert.exe to run the program.
  4. Click "Make Hosts Writable?" in the upper right corner (If available).
  5. Click "Restore Microsoft's Hosts file" and then click "OK".
  6. Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

NEXT:

We need to run HAMeb_check
  1. Download HAMeb_check.exe to your desktop
  2. Run HAMeb_check
  3. Post the contents of the resulting log.

NEXT:

We need to run an OTM script
  1. Double click the OTM icon on your desktop.
  2. Paste the following code under the Paste Instructions for Items to be Moved area. Do not include the word "Code".
    CODE
    :OTL
    O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [] File not found
    O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
    O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
    O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found

    :Files
    C:\Documents and Settings\All Users\Application Data\fa9e0c2
    C:\Documents and Settings\All Users\Application Data\MSMHE
    C:\WINDOWS\SysWow64\*.tmp
    C:\WINDOWS\*.tmp
    C:\Documents and Settings\Administrator\Local Settings\Application Data\*.tmp

    :Commands
    [EmptyTemp]
  3. Push the large MoveIt! button.
    **OTM may ask to reboot the machine. Please do so if asked.
  4. Copy/Paste the contents under the Results line here in your next reply.
  5. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


NEXT:

We need to run GooredFix
  1. Please download Gooredfix from one of the following mirrors:
    Download Mirror #1
    Download Mirror #2
  2. Ensure all Firefox windows are closed.
  3. Double-click Gooredfix.exe to run it.
  4. When prompted to run the scan, click Yes.
  5. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


In your next reply, please include the following:
  • HAMeb_check log
  • OTM Log
  • Goored.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 nemsawy

nemsawy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 25 May 2010 - 11:06 PM

QUOTE(aommaster @ May 25 2010, 11:03 PM) View Post
Could you please describe what problems you are having?

I'm getting frequent, unsolicited redirects to weird websites while browsing, and I have Mebroot.mbr detected on my system by NOD32.

HostsXpert gave me "Error: Cannot create file C:\WINDOWS\system32\DRIVERS\ETC\hosts".

HAMeb_check.exe gave me "This tool is not compatible with your system"

QUOTE(aommaster @ May25 2010, 11:03 PM) View Post
We need to run an OTM script

I'm sorry, but you only gave me instructions to download and run OTL. Can you please provide the link for OTM?

Also, here's the log by GooredFix:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 00:04 on 26/05/2010 (Administrator)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [08:47 19/08/2008]
{B13721C7-F507-4982-B2E5-502A71474FED} [20:37 24/08/2008]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [10:50 19/08/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [10:43 19/08/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [11:17 26/11/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [23:22 16/02/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [07:32 17/04/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [19:20 09/09/2009]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\
anttoolbar@ant.com [16:18 02/04/2010]
bkmrksync@nokia.com [22:24 19/08/2008]
imagedownload@whygudu.iblog.cn [07:32 20/08/2008]
OpenXMLViewer@Codeplex.com [21:07 18/02/2009]
yamlitoolbar@yamli.com [22:58 04/04/2010]
{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} [09:32 28/04/2010]
{20a82645-c095-46ed-80e3-08825760534b} [09:32 28/04/2010]
{40a1f5d7-afc2-498f-b264-02668d616ff6} [05:30 05/03/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [16:18 02/04/2010]
{991A772A-BA13-4c1d-A9EF-F897F31DEC7D} [05:29 05/03/2009]
{9DA9C4D2-7C4F-4336-8DD7-4DFF13E3B8C7} [04:38 17/02/2009]
{a3b24d40-bac4-11dc-95ff-0800200c9a66} [14:05 18/02/2009]
{a6e4a4eb-d169-4e99-8988-250fcbafe767} [16:18 02/04/2010]
{d176c86a-1eac-2cce-1757-bc0dbc6c526c} [20:26 06/03/2009]
{DCBD1271-D228-4082-9FBC-36D9B7660B03} [16:18 02/04/2010]
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [08:51 16/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ff" [23:22 16/02/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:28 10/09/2009]

-=E.O.F=-

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 25 May 2010 - 11:10 PM

Hi!

My apologies for that. Please copy and paste that script into OTL and click "Run custom fix". A log will be generated which you can post into your next reply.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 nemsawy

nemsawy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 25 May 2010 - 11:17 PM

No worries!

Here you go:

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3149585442-3551977217-521807796-500\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/octet-stream\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/x-complus\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/x-msdownload\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1E66F26B-79EE-11D2-8710-00C04F79ED0D}\ not found.
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\fa9e0c2\Quarantine Items folder moved successfully.
C:\Documents and Settings\All Users\Application Data\fa9e0c2\MSESys folder moved successfully.
C:\Documents and Settings\All Users\Application Data\fa9e0c2\BackUp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\fa9e0c2 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\MSMHE folder moved successfully.
C:\WINDOWS\SysWow64\AUTOEXEC.TMP moved successfully.
C:\WINDOWS\SysWow64\CONFIG.TMP moved successfully.
C:\WINDOWS\SysWow64\SET22C.tmp moved successfully.
C:\WINDOWS\SysWow64\SET22E.tmp moved successfully.
C:\WINDOWS\SysWow64\SET23A.tmp moved successfully.
C:\WINDOWS\SysWow64\SET247.tmp moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET6.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\d3d9caps.tmp moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 62181307 bytes
->Temporary Internet Files folder emptied: 351430810 bytes
->Java cache emptied: 12439527 bytes
->FireFox cache emptied: 15466566 bytes
->Google Chrome cache emptied: 174036832 bytes
->Flash cache emptied: 37614 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 594370 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 347562304 bytes
RecycleBin emptied: 174234289 bytes

Total Files Cleaned = 1,085.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05262010_001349

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 25 May 2010 - 11:28 PM

Hello, nemsawy.
Okay, let's take a look at the MBR
We need to run an MBR scan
  1. Please download MBR.exe and save it to your root directory (usually C:\).
  2. Now click Start > Run and copy/paste the following text in the box that opens. Do not copy the word "code".
    CODE
    C:\mbr.exe -t
  3. Press enter.
  4. An mbr.log should be created in your root directory. Please post its contents in your next reply.

In your next reply, please include the following:
  • mbr.exe log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 nemsawy

nemsawy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 25 May 2010 - 11:32 PM

Here it is:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 25 May 2010 - 11:37 PM

Hi!

Please boot into the recovery console and execute the following command:
fixmbr

You will receive a warning about partition tables, say yes and proceed with the command. Then, please reboot and post:
1. A fresh MBR log
2. A fresh OTL log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 nemsawy

nemsawy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 25 May 2010 - 11:51 PM

OK, I ran fixmbr.

MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

OTL log:

OTL logfile created on: 5/26/2010 12:49:38 AM - Run 3
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 30.00 Gb Total Space | 2.03 Gb Free Space | 6.77% Space Free | Partition Type: NTFS
Drive D: | 97.65 Gb Total Space | 9.86 Gb Free Space | 10.10% Space Free | Partition Type: NTFS
Drive E: | 21.40 Gb Total Space | 16.71 Gb Free Space | 78.11% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMPUTERNAME
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/19 19:41:48 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
PRC - [2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/12/03 09:54:40 | 000,557,056 | ---- | M] (Orbitdownloader.com) -- C:\Program Files (x86)\Orbitdownloader\orbitnet.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/03/13 17:49:56 | 000,472,320 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2007/08/08 10:25:08 | 000,836,904 | ---- | M] (Nero AG) -- D:\Program Files\Nero 8\Nero BackItUp\NBService.exe
PRC - [2007/08/03 13:51:18 | 001,422,632 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2007/08/03 13:51:06 | 000,202,024 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe
PRC - [2007/02/18 07:05:40 | 001,681,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe


========== Modules (SafeList) ==========

MOD - [2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2007/02/18 07:05:42 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\msscript.ocx
MOD - [2007/02/18 07:05:38 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\MSCTFIME.IME
MOD - [2007/02/18 07:05:22 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comres.dll
MOD - [2007/02/18 07:05:22 | 000,273,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comdlg32.dll
MOD - [2007/02/17 01:58:24 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\wow64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5FA17F4E\comctl32.dll
MOD - [2005/03/25 00:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/03/13 17:55:30 | 000,021,760 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV:64bit: - [2008/03/13 17:49:56 | 000,472,320 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2006/11/03 20:36:20 | 000,014,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2010/05/23 07:16:36 | 000,075,264 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\SysWOW64\f3a3a069.exe -- (MSWU-f3a3a069)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/07/25 10:13:48 | 000,093,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2008/07/25 10:13:44 | 000,046,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/05/30 12:32:16 | 000,572,416 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/08/08 10:25:08 | 000,836,904 | ---- | M] (Nero AG) [Auto | Running] -- D:\Program Files\Nero 8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2007/02/16 20:44:20 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/01/19 13:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2006/10/18 20:05:24 | 000,913,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2005/03/25 00:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\iasrecst.dll -- (IASJet)


========== Driver Services (SafeList) ==========

DRV - [2009/03/18 05:16:15 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- D:\Program Files\RivaTuner v2.24\RivaTuner64.sys -- (RivaTuner64)
DRV - [2007/12/01 11:07:13 | 000,086,016 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SysWOW64\mdmxsdk.dll -- (mdmxsdk)
DRV - [2007/01/12 11:55:00 | 000,013,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\U-ABIT\FlashMenu\WinFlash64.sys -- (WINFLASH)
DRV - [2005/03/25 00:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWOW64\mnmdd.dll -- (mnmdd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3149585442-3551977217-521807796-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://ca.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.9.1
FF - prefs.js..extensions.enabledItems: anttoolbar@ant.com:2.0.1
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.21
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
FF - prefs.js..extensions.enabledItems: {a6e4a4eb-d169-4e99-8988-250fcbafe767}:2.5.6.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..extensions.enabledItems: OpenXMLViewer@Codeplex.com:1.0.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.94
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..extensions.enabledItems: yamlitoolbar@yamli.com:1.0.6
FF - prefs.js..keyword.URL: "http://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/05/18 16:38:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/05/19 16:15:29 | 000,000,000 | ---D | M]

[2010/04/12 17:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/04/12 17:48:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/18 02:40:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions
[2010/04/28 05:32:01 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2010/04/28 05:32:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/03/05 01:30:26 | 000,000,000 | ---D | M] (Mega Manager Integration) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
[2010/04/02 12:18:43 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/03/05 01:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
[2009/02/17 00:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{9DA9C4D2-7C4F-4336-8DD7-4DFF13E3B8C7}
[2009/02/18 10:05:47 | 000,000,000 | ---D | M] (jDownFF) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{a3b24d40-bac4-11dc-95ff-0800200c9a66}
[2010/04/02 12:18:41 | 000,000,000 | ---D | M] (isoHunt Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}
[2009/03/06 16:26:51 | 000,000,000 | ---D | M] (XE.com Universal Currency Converter ) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{d176c86a-1eac-2cce-1757-bc0dbc6c526c}
[2010/04/02 12:18:42 | 000,000,000 | ---D | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2010/04/16 04:51:15 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/04/02 12:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\anttoolbar@ant.com
[2008/08/19 18:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\bkmrksync@nokia.com
[2008/08/20 03:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\imagedownload@whygudu.iblog.cn
[2009/02/18 17:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\OpenXMLViewer@Codeplex.com
[2010/04/04 18:58:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\yamlitoolbar@yamli.com
[2009/05/11 12:33:51 | 000,002,083 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\uncyclopedia-en.xml
[2010/04/29 10:38:21 | 000,000,713 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\webster.xml
[2010/04/29 10:26:42 | 000,001,685 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\searchplugins\wiktionary-en.xml
[2010/05/24 13:32:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2008/07/23 12:48:04 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcm80.dll
[2008/07/23 12:48:04 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcp80.dll
[2008/07/23 12:48:06 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugins\msvcr80.dll

Hosts file not found
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files (x86)\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3149585442-3551977217-521807796-500\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [AlcWzrd] C:\WINDOWS\alcwzrd.exe (RealTek Semicoductor Corp.)
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [KernelFaultCheck] File not found
O4:64bit: - HKLM..\Run: [MSPY2002] C:\WINDOWS\SysNative\IME\PINTLGNT\ImScInst.exe File not found
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\SysNative\NvCpl.DLL File not found
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\SysNative\NvMcTray.DLL File not found
O4:64bit: - HKLM..\Run: [nwiz] File not found
O4:64bit: - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found
O4:64bit: - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysNative\IME\TINTLGNT\TINTSETP.EXE File not found
O4:64bit: - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Emurayden PSX Emulator] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] D:\Program Files\Nero 8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [MsnMsgr] C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files (x86)\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [cdloader] C:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-3149585442-3551977217-521807796-500..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-18..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [nltide_3] C:\WINDOWS\SysWow64\advpack.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk = C:\Program Files (x86)\Orbitdownloader\orbitdm.exe (Orbitdownloader.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3149585442-3551977217-521807796-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8:64bit: - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Download by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files (x86)\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O9:64bit: - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files (x86)\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysNative\wiascr.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\SysNative\logonui.exe File not found
O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (lsass.exe) - File not found
O20:64bit: - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found
O20:64bit: - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20:64bit: - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found
O20:64bit: - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - File not found
O20:64bit: - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20:64bit: - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20:64bit: - Winlogon\Notify\termsrv: DllName - Reg Error: Value error. - File not found
O20:64bit: - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysNative\stobject.dll File not found
O21:64bit: - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SysNative\WPDShServiceObj.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28:64bit: - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/19 04:46:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 00:13:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/26 00:04:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2010/05/26 00:03:26 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/05/24 13:49:54 | 000,208,896 | ---- | C] (www.mp3dev.org) -- C:\Documents and Settings\Administrator\Desktop\lame_enc.dll
[2010/05/24 13:46:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Audacity
[2010/05/24 13:32:21 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\SysWow64\TTADSSplitter.ax
[2010/05/24 13:32:21 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\SysWow64\TTADSDecoder.ax
[2010/05/24 13:32:20 | 000,092,672 | RHS- | C] (RadLight) -- C:\WINDOWS\SysWow64\RLVorbisDec.ax
[2010/05/24 13:32:20 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\WINDOWS\SysWow64\RLTheoraDec.ax
[2010/05/24 13:32:19 | 000,186,880 | RHS- | C] (RadLight) -- C:\WINDOWS\SysWow64\RLOgg.ax
[2010/05/24 13:32:15 | 000,161,792 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\RealMediaDX.ax
[2010/05/24 13:32:12 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\WINDOWS\SysWow64\nbDX.dll
[2010/05/24 13:32:11 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\WINDOWS\SysWow64\msfDX.dll
[2010/05/24 13:32:09 | 000,169,472 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\MatroskaDX.ax
[2010/05/24 13:32:08 | 000,163,328 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\flvDX.dll
[2010/05/24 13:32:06 | 000,179,200 | RHS- | C] (Gabest) -- C:\WINDOWS\SysWow64\DiracSplitter.ax
[2010/05/24 13:32:05 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\WINDOWS\SysWow64\AVCDX.ax
[2010/05/24 13:30:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\eRightSoft
[2010/05/24 13:23:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AviSynth 2.5
[2010/05/23 07:55:55 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/23 03:47:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\nullDC
[2010/05/23 02:28:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Romcenter
[2010/05/23 02:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\romcenter
[2010/05/21 00:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fnafrvgrn
[2010/05/19 19:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Temp
[2010/05/19 19:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/05/19 19:41:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Deployment
[2010/05/19 16:08:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/19 16:08:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/05/18 16:20:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/05/18 06:56:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Alcohol Soft
[2010/05/14 19:11:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/14 02:16:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2010/05/14 02:16:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/13 00:47:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/13 00:46:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys
[2010/05/13 00:46:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/05/13 00:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/12 08:08:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Orbitdownloader
[2010/05/03 14:07:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Help
[2010/05/03 14:04:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Power Psx Tools GUI
[2010/04/30 17:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Tekken 3 Music
[2010/04/30 17:38:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Easy CD-DA Extractor
[2010/04/30 17:38:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Easy CD-DA Extractor
[2010/04/30 17:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Easy CD-DA Extractor 2010
[2010/04/30 13:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\388A26B9B1D42D0A5A214C94C07E5D21
[2010/04/29 12:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2010/04/26 02:18:14 | 000,000,000 | ---D | C] -- C:\Better Off Ted

========== Files - Modified Within 30 Days ==========

[2010/05/26 00:50:11 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/26 00:47:23 | 000,001,596 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
[2010/05/26 00:47:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/26 00:47:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/26 00:42:12 | 013,107,200 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/26 00:14:39 | 004,774,766 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/05/26 00:03:26 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/05/25 23:46:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500UA.job
[2010/05/25 19:46:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500Core.job
[2010/05/25 14:35:41 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/25 13:50:58 | 000,071,168 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Withdrawal.doc
[2010/05/25 13:01:14 | 000,187,612 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cp13-eng.pdf
[2010/05/25 13:00:17 | 000,210,251 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\cp14-eng.pdf
[2010/05/24 13:46:22 | 000,000,660 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Audacity.lnk
[2010/05/24 13:33:23 | 003,029,668 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\14 Desert.mp3
[2010/05/24 13:32:21 | 000,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER Uninstall.lnk
[2010/05/24 13:32:21 | 000,001,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER .lnk
[2010/05/24 13:10:46 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/24 11:56:10 | 080,983,388 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garou (1).zip
[2010/05/23 10:31:12 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/23 08:36:29 | 000,002,581 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\nullDC v1.0.0 Beta 1.lnk
[2010/05/23 08:00:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\SysWow64\d3d9caps.dat
[2010/05/23 07:48:15 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MalwareBytes Anti-Malware.exe.lnk
[2010/05/23 07:16:41 | 000,176,128 | ---- | M] () -- C:\WINDOWS\Vbafaa.exe
[2010/05/23 07:16:36 | 000,075,264 | ---- | M] () -- C:\WINDOWS\SysWow64\f3a3a069.exe
[2010/05/23 02:28:47 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RomCenter.lnk
[2010/05/23 01:38:48 | 038,425,374 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garoup.zip
[2010/05/23 01:35:03 | 023,191,633 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garoun.zip
[2010/05/23 01:11:10 | 038,576,533 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\garou.zip
[2010/05/21 09:10:45 | 000,001,028 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\magicJack.lnk
[2010/05/21 00:48:46 | 000,000,098 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/21 00:13:19 | 000,059,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/05/19 19:43:44 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/05/19 16:08:50 | 000,000,430 | RHS- | M] () -- C:\boot.ini
[2010/05/19 16:03:56 | 000,000,327 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml
[2010/05/19 16:01:20 | 000,000,430 | RHS- | M] () -- C:\Boot.BAK
[2010/05/19 13:16:40 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/18 16:39:01 | 000,001,656 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/18 16:12:00 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/05/14 02:37:38 | 000,000,371 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/05/14 02:16:27 | 000,000,975 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/14 01:58:31 | 000,131,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 Memory.mem
[2010/05/13 00:40:38 | 133,003,832 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Old Registry.reg
[2010/05/12 08:08:13 | 000,000,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Orbit.lnk
[2010/05/03 16:31:19 | 474,677,721 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 [By Diabolicus].rar
[2010/04/30 17:38:05 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Easy CD-DA Extractor.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SysWow64\drivers\mbamswissarmy.sys
[2010/04/28 06:00:52 | 000,262,144 | ---- | M] () -- C:\Documents and Settings\All Users\ntuser.dat
[2010/04/27 08:00:05 | 366,700,282 | ---- | M] () -- C:\Chuck.S03E14.HDTV.XviD-LOL.avi

========== Files Created - No Company Name ==========

[2010/05/26 00:31:12 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/05/25 13:01:13 | 000,187,612 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\cp13-eng.pdf
[2010/05/25 13:00:17 | 000,210,251 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\cp14-eng.pdf
[2010/05/24 13:46:22 | 000,000,660 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Audacity.lnk
[2010/05/24 13:33:22 | 003,029,668 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\14 Desert.mp3
[2010/05/24 13:32:21 | 000,001,743 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER Uninstall.lnk
[2010/05/24 13:32:21 | 000,001,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER .lnk
[2010/05/24 13:32:20 | 000,051,712 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLSpeexDec.ax
[2010/05/24 13:32:17 | 000,107,520 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLMPCDec.ax
[2010/05/24 13:32:16 | 000,070,656 | RHS- | C] () -- C:\WINDOWS\SysWow64\RLAPEDec.ax
[2010/05/24 13:32:09 | 000,120,832 | RHS- | C] () -- C:\WINDOWS\SysWow64\MPCDx.ax
[2010/05/24 13:32:06 | 000,097,280 | RHS- | C] () -- C:\WINDOWS\SysWow64\FLACDX.ax
[2010/05/24 13:32:05 | 000,175,104 | RHS- | C] () -- C:\WINDOWS\SysWow64\CoreAAC.ax
[2010/05/24 13:32:04 | 000,081,920 | RHS- | C] () -- C:\WINDOWS\SysWow64\aac_parser.ax
[2010/05/24 11:53:48 | 080,983,388 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garou (1).zip
[2010/05/23 10:31:11 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_disable.log
[2010/05/23 10:31:11 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/23 08:00:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\SysWow64\d3d9caps.dat
[2010/05/23 07:16:51 | 000,176,128 | ---- | C] () -- C:\WINDOWS\Vbafaa.exe
[2010/05/23 07:16:39 | 000,075,264 | ---- | C] () -- C:\WINDOWS\SysWow64\f3a3a069.exe
[2010/05/23 03:47:47 | 000,002,581 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\nullDC v1.0.0 Beta 1.lnk
[2010/05/23 02:28:47 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RomCenter.lnk
[2010/05/23 01:37:19 | 038,425,374 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garoup.zip
[2010/05/23 01:33:58 | 023,191,633 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garoun.zip
[2010/05/23 01:05:22 | 038,576,533 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\garou.zip
[2010/05/21 00:13:18 | 000,059,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/05/19 19:43:44 | 000,002,344 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/05/19 19:43:30 | 000,001,596 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
[2010/05/19 19:41:51 | 000,001,010 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500UA.job
[2010/05/19 19:41:51 | 000,000,958 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3149585442-3551977217-521807796-500Core.job
[2010/05/18 07:00:56 | 000,000,327 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\ax_files.xml
[2010/05/18 07:00:15 | 000,300,144 | RHS- | C] () -- C:\cmldr
[2010/05/14 02:37:36 | 000,000,371 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/14 02:16:27 | 000,000,975 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/13 00:47:00 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MalwareBytes Anti-Malware.exe.lnk
[2010/05/13 00:40:26 | 133,003,832 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Old Registry.reg
[2010/05/12 12:42:05 | 000,131,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 Memory.mem
[2010/05/12 08:08:13 | 000,000,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Orbit.lnk
[2010/05/03 16:31:19 | 474,677,721 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Tekken 3 [By Diabolicus].rar
[2010/04/30 17:38:05 | 000,001,676 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Easy CD-DA Extractor.lnk
[2010/04/28 06:00:52 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\ntuser.dat
[2010/04/28 06:00:52 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\ntuser.dat.LOG
[2010/04/27 08:00:06 | 366,700,282 | ---- | C] () -- C:\Chuck.S03E14.HDTV.XviD-LOL.avi
[2009/09/11 03:20:29 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SysWow64\MF.dll
[2009/08/07 19:51:34 | 000,178,430 | ---- | C] () -- C:\WINDOWS\SysWow64\xlive.dll.cat
[2009/03/25 16:19:45 | 000,541,752 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2009/03/05 01:59:22 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2009/03/03 06:58:24 | 000,044,646 | ---- | C] () -- C:\WINDOWS\SysWow64\FlashMenu.sys
[2009/03/03 06:49:12 | 000,013,632 | ---- | C] () -- C:\WINDOWS\SysWow64\drivers\WinFlash64.sys
[2009/01/30 07:08:05 | 000,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/01/30 07:08:04 | 000,047,616 | ---- | C] () -- C:\WINDOWS\SysWow64\pdf995mon64.dll
[2009/01/28 11:49:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/28 11:40:43 | 000,002,623 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/12/22 03:42:47 | 000,000,015 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2008/10/07 06:01:40 | 000,027,648 | ---- | C] () -- C:\WINDOWS\SysWow64\AVSredirect.dll
[2008/08/30 08:21:00 | 000,044,544 | ---- | C] () -- C:\WINDOWS\SysWow64\Gif89.dll
[2008/08/21 03:33:43 | 000,164,352 | ---- | C] () -- C:\WINDOWS\SysWow64\unrar.dll
[2008/08/21 03:33:36 | 000,755,027 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidcore.dll
[2008/08/21 03:33:36 | 000,612,864 | ---- | C] () -- C:\WINDOWS\SysWow64\x264vfw.dll
[2008/08/21 03:33:36 | 000,159,839 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidvfw.dll
[2008/08/21 03:33:28 | 000,007,680 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll
[2008/08/21 03:33:28 | 000,000,547 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll.manifest
[2008/07/23 12:50:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\SysWow64\qt-dx331.dll
[2007/10/04 04:14:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\SysWow64\nview.dll
[2007/10/04 04:14:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\SysWow64\nvwimg.dll
[2007/03/29 23:00:40 | 000,203,264 | R--- | C] () -- C:\WINDOWS\SysWow64\CddbCdda.dll
[2007/02/18 07:05:48 | 000,276,992 | ---- | C] () -- C:\WINDOWS\SysWow64\sbe.dll
[2007/02/18 07:05:46 | 001,278,464 | ---- | C] () -- C:\WINDOWS\SysWow64\quartz.dll
[2007/02/18 07:05:46 | 000,512,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qedit.dll
[2007/02/18 07:05:46 | 000,385,536 | ---- | C] () -- C:\WINDOWS\SysWow64\qdvd.dll
[2007/02/18 07:05:46 | 000,279,040 | ---- | C] () -- C:\WINDOWS\SysWow64\qdv.dll
[2007/02/18 07:05:46 | 000,192,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qcap.dll
[2007/02/18 07:05:34 | 000,062,464 | ---- | C] () -- C:\WINDOWS\SysWow64\mciqtz32.dll
[2007/02/18 07:05:28 | 000,396,288 | ---- | C] () -- C:\WINDOWS\SysWow64\encdec.dll
[2007/02/18 07:05:24 | 000,061,440 | ---- | C] () -- C:\WINDOWS\SysWow64\devenum.dll
[2007/02/18 07:05:20 | 000,072,704 | ---- | C] () -- C:\WINDOWS\SysWow64\amstream.dll
[2005/03/25 00:00:00 | 000,733,696 | ---- | C] () -- C:\WINDOWS\SysWow64\qedwipes.dll
[2005/03/25 00:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\SysWow64\dxmasf.dll
[2005/03/25 00:00:00 | 000,355,112 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll
[2005/03/25 00:00:00 | 000,199,168 | ---- | C] () -- C:\WINDOWS\SysWow64\ir32_32.dll
[2005/03/25 00:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\SysWow64\msencode.dll
[2005/03/25 00:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\SysWow64\tsd32.dll
[2005/03/25 00:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\SysWow64\msdmo.dll
[2005/03/25 00:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\SysWow64\msdxmlc.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE406C3E
< End of report >


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 26 May 2010 - 12:13 AM

Hello, nemsawy.
Are you still getting those mebroot warnings from Eset?

Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




We need to run a custom OTL fix
  1. Please run OTL on your desktop.
  2. Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not copy the word "code".
    CODE
    :OTL
    [2009/03/05 01:29:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
    [2009/02/17 00:38:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cx4qnck7.default\extensions\{9DA9C4D2-7C4F-4336-8DD7-4DFF13E3B8C7}

    :Files
    C:\Documents and Settings\Administrator\Local Settings\Application Data\fnafrvgrn
    C:\WINDOWS\SysWow64\f3a3a069.exe
    C:\WINDOWS\Vbafaa.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
  3. Click the Run Fix button
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click OK
  6. A report will open. Copy and Paste that report in your next reply.

NEXT:

We need to run Sophos Anti-Rootkit
  1. Please download Sophos Anti-rootkit & save it to your desktop.
    alternate download link
    Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.
  2. Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  3. Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  4. A message will appear "Sophos Anti-Rootkit was successfully installed.
  5. Run the program.
  6. Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  7. If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  8. Click Start scan.
  9. Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  10. When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  11. Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  12. Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  13. A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  14. After reboot, a dialog box displays the files you selected for removal and the action taken.
  15. Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  16. When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  17. This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

NEXT:

We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • OTL Log
  • sarscan.log
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 29 May 2010 - 12:48 AM

Hello nemsawy
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:06 PM

Posted 31 May 2010 - 12:36 AM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please send me a PM with the address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users