Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse SHeur3.AQRA, Win32/Zbot.A and VBS/Generic


  • This topic is locked This topic is locked
8 replies to this topic

#1 Carolyn771

Carolyn771

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 05 October 2010 - 12:45 PM

Hi

When my daughters computer starts up, the AVG Resident Shield alert opens and states it has detected multiple threats. It then keeps going finding threat after threat, and displaying them in a list. To read the list, it looks like pretty much everything on the computer is infected.
I could not run gmer, I tried downloading it from each of the 2 locations, also downloaded winrar as windows said it could not open the file. Winrar extracted the files but when I tried to run it, the computer blue screened BAD_POOL_HEADER and the numbers 0x00000019(0x00000020,0x899F6000,0x899F6828,0x1B050000)


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mum at 17:59:44.45 on 05/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1368 [GMT 1:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Oxigen\bin\Oxigen.exe
C:\Program Files\Oxigen\bin\OxiTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Guffins\bar\1.bin\u4brmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Mum\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77C09F4F&ptnrS=YJxdm013YYGB&ptb=3DC452FE-D4FD-4268-B46D-D172C60824D7
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Toolbar BHO: {a916eefe-6a17-4d7d-a131-2738b260bb55} - c:\progra~1\guffins\bar\1.bin\u4bar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Guffins: {de2fdf7c-2637-4ba3-b427-3fce2d331db5} - c:\program files\guffins\bar\1.bin\u4bar.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; WinNT-PAI 15.08.2009)" -"http://www.girlsgogames.co.uk/game/ChatWorld.html"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.24\AsRunHelp.exe
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [OxigenClientAdmin] "c:\program files\oxigen\bin\Oxigen.exe"
mRun: [OxigenTrayIcon] "c:\program files\oxigen\bin\OxiTray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NPSStartup]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Guffins Browser Plugin Loader] c:\progra~1\guffins\bar\1.bin\u4brmon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\mum\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111 configuration utility\wpn111.exe
IE: &Search - http://tbedits.guffins.com/one-toolbaredit...mp;n=2010100206
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://msnuk.oberon-media.com/online2/MSN_INTL_UK//diner_dash_flo_on_the_go/ddfotg.1.0.0.33.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://msnuk.oberon-media.com/online2/MSN_INTL_UK/diner_dash/DinerDash.1.0.0.80.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-14 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-14 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-14 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-14 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-14 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-14 1370488]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-6 54752]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-5-23 233472]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2009-10-29 1074568]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-14 29208]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-10-28 17149]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-5-23 36608]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-10-28 286720]
S2 GuffinsService;Guffins Service;c:\progra~1\guffins\bar\1.bin\u4barsvc.exe [2010-10-2 28766]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;c:\windows\system32\drivers\athwpn.sys [2009-10-28 43392]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-14 29208]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-10-05 16:51:02 0 ----a-w- c:\documents and settings\mum\defogger_reenable
2010-10-02 10:07:56 0 d-----w- c:\program files\Guffins
2010-10-02 10:07:22 0 d-----w- c:\program files\GuffinsEI

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2006-06-23 06:48:54 32768 -c--a-r- c:\windows\inf\UpdateUSB.exe
2008-10-21 22:13:32 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102120081022\index.dat

============= FINISH: 18:00:26.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 12 October 2010 - 05:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.

Since you're having issues with GMER< please try GMER in safe mode. If that doesn't work, try in safe mode, but uncheck 'devices'. If all else fails, try in safe mode and only check 'files' and 'sections'


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Carolyn771

Carolyn771
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 14 October 2010 - 04:41 PM

I have run the GMER in safe mode, it took about 6 hours to complete and then I found the mouse had been disabled, so was unable to save it! I will try the other 2 options over the weekend, but am working tomorrow and Saturday, so would be grateful if you could give me a few days to sort it out. I did get a message saying insufficient system resources exist to complete the required service. Upon reboot the mouse was ok, so assume this is something to do with that. Is there any other option than GMER?


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 14 October 2010 - 05:23 PM

Please run the OTL log then. I'll post other tools to run instead of GMER once I look that over.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Carolyn771

Carolyn771
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 17 October 2010 - 12:03 PM

Hi

Thanks for helping. I am attaching the OTL log - there was only one report produced. Had another go at the GMER scan, same thing - it finishes but takes the mouse away, can't seem to save using hotkeys and as soon as i press return the report closes and the mouse comes back! Frustrating.
Also I am getting an error message upon boot up - For PMB.exe - The application failed to initialize properly (0xC0000022) Click on ok to terminate the application. Don't know whether this is relevant.


OTL logfile created on: 17/10/2010 10:04:03 - Run 4
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Mum\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 209.65 Gb Free Space | 70.33% Space Free | Partition Type: NTFS

Computer Name: CAROLYN | User Name: Mum | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2010/10/16 19:29:15 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mum\Desktop\OTL.exe
PRC - [2010/07/09 18:14:45 | 002,048,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2010/04/05 14:50:00 | 000,494,920 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/10/29 13:27:54 | 001,074,568 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2009/08/14 07:50:09 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/14 07:50:09 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/14 07:50:09 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/14 07:50:01 | 001,370,488 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgfws8.exe
PRC - [2009/08/14 07:50:01 | 000,832,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgam.exe
PRC - [2009/08/14 07:50:00 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/04/08 11:38:14 | 000,251,240 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2009/04/08 11:38:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2008/12/13 17:51:46 | 000,098,304 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
PRC - [2008/12/13 17:15:26 | 000,233,472 | ---- | M] (Teruten) -- C:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2008/04/23 03:38:16 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/23 03:04:52 | 000,557,536 | ---- | M] () -- C:\Program Files\Oxigen\bin\OxiTray.exe
PRC - [2007/06/23 03:01:36 | 000,887,264 | ---- | M] () -- C:\Program Files\Oxigen\bin\Oxigen.exe
PRC - [2006/12/18 14:34:36 | 000,868,352 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2005/01/24 17:58:24 | 000,491,606 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WPN111 Configuration Utility\WPN111.exe


========== Modules (SafeList) ==========

MOD - [2010/10/16 19:29:15 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mum\Desktop\OTL.exe
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/10/02 11:07:56 | 000,028,766 | ---- | M] (Guffins) [Auto | Stopped] -- C:\Program Files\Guffins\bar\1.bin\u4barsvc.exe -- (GuffinsService)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/01/13 02:33:00 | 003,477,452 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/10/29 13:27:54 | 001,074,568 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2009/08/14 07:50:01 | 001,370,488 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgfws8.exe -- (avgfws8)
SRV - [2009/08/14 07:50:00 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/08/05 23:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/04/08 11:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2008/12/13 17:15:26 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
DRV - [2009/10/28 13:35:03 | 000,015,890 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/08/14 07:50:32 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/08/14 07:50:32 | 000,012,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2009/08/14 07:50:29 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/14 07:50:27 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/14 07:49:35 | 000,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwfd)
DRV - [2009/08/14 07:49:35 | 000,029,208 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgfwdx.sys -- (Avgfwdx)
DRV - [2009/08/05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/04/23 12:15:06 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/03/28 01:03:00 | 006,280,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/12/13 17:15:26 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/05/02 11:11:18 | 000,109,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_mdm.sys -- (ss_mdm)
DRV - [2007/05/02 11:11:18 | 000,015,112 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_mdfl.sys -- (ss_mdfl)
DRV - [2007/05/02 11:11:16 | 000,083,592 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_bus.sys -- (ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM)
DRV - [2007/01/16 02:09:06 | 000,293,888 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/12/08 10:06:00 | 000,139,776 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\adidts.sys -- (ADIDTSFiltService)
DRV - [2006/10/18 20:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/07/26 08:56:00 | 000,248,832 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/07 11:07:40 | 000,286,720 | ---- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WPN111.sys -- (WPN111)
DRV - [2004/10/14 19:24:00 | 000,043,392 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athwpn.sys -- (ATHFMWDL)
DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/07/24 13:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lse.co.uk/ [binary data]
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml?n=...6D-D172C60824D7
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\URLSearchHook: *{c3d3840c-12ea-4461-a61d-190555fecc82} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-602162358-362288127-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\u4ffxtbr@Guffins.com: C:\Program Files\Guffins\bar\1.bin [2010/10/02 11:07:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/06 09:28:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/04/06 09:28:23 | 000,000,000 | ---D | M]

[2008/07/27 08:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Mozilla\Extensions
[2008/07/27 08:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Mozilla\Extensions\home2@tomtom.com

O1 HOSTS File: ([2006/02/28 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Toolbar BHO) - {a916eefe-6a17-4d7d-a131-2738b260bb55} - C:\Program Files\Guffins\bar\1.bin\u4bar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Guffins) - {de2fdf7c-2637-4ba3-b427-3fce2d331db5} - C:\Program Files\Guffins\bar\1.bin\u4bar.dll ()
O3 - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-602162358-362288127-839522115-1004\..\Toolbar\WebBrowser: (Guffins) - {DE2FDF7C-2637-4BA3-B427-3FCE2D331DB5} - C:\Program Files\Guffins\bar\1.bin\u4bar.dll ()
O4 - HKLM..\Run: [Ai Nap] C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.24\AsRunHelp.exe ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVGIDS] C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe File not found
O4 - HKLM..\Run: [Guffins Browser Plugin Loader] C:\Program Files\Guffins\bar\1.bin\u4brmon.exe ()
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe File not found
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [nonep] C:\Documents and Settings\Mum\Local Settings\Temp\tmpd7c9a408\kill.exe ()
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OxigenClientAdmin] C:\Program Files\Oxigen\bin\Oxigen.exe ()
O4 - HKLM..\Run: [OxigenTrayIcon] C:\Program Files\Oxigen\bin\OxiTray.exe ()
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\Run: [{EBD28411-D263-82F4-B60C-30A36F2D41E0}] C:\Documents and Settings\Mum\Application Data\Ubbupi\ozkys.exe ()
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe ()
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKU\S-1-5-21-602162358-362288127-839522115-1004..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -Mozilla\4.0 ( File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN111 Configuration Utility\WPN111.exe (NETGEAR)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-362288127-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\lsprew.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} http://go.microsoft.com/fwlink/?LinkId=82580 (Microsoft Genuine Advantage Self Support Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} http://www.activeworlds.com/products/Activ...ldsDownload.cab (ActiveWorldsDownload Control)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab (Reg Error: Key error.)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} http://www.facebook.com/controls/contactx.dll (ContactExtractor Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} http://msnuk.oberon-media.com/online2/MSN_...tg.1.0.0.33.cab (CPlayFirstddfotgControl Object)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} http://msnuk.oberon-media.com/online2/MSN_...sh.1.0.0.80.cab (CPlayFirstDinerDashControl Object)
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} https://secure.gopetslive.com/dev/GoPetsWeb.cab (GoPetsWeb Control)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\program files\microsoft\desktoplayer.exe) - c:\Program Files\Microsoft\DesktopLayer.exe ()
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Mum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/09 23:17:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{23604a93-5bab-11dd-84fa-001a92e9da0e}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{c08c7c82-f1d6-11dc-824b-001a92e9da0e}\Shell - "" = AutoRun
O33 - MountPoints2\{c08c7c82-f1d6-11dc-824b-001a92e9da0e}\Shell\Auto\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{c08c7c82-f1d6-11dc-824b-001a92e9da0e}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - lhacm.acm File not found
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.VP60 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: vidc.VP61 - C:\WINDOWS\system32\vp6vfw.dll (On2.com)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 90 Days ==========

[2010/10/14 14:27:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/10/14 14:27:28 | 000,000,000 | ---D | C] -- C:\Program Files\WinZip
[2010/10/14 14:01:51 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mum\Desktop\OTL.exe
[2010/10/10 09:03:16 | 000,000,000 | ---D | C] -- C:\Program Files\windows
[2010/10/10 09:03:12 | 000,000,000 | ---D | C] -- C:\Program Files\tmp
[2010/10/10 09:03:08 | 000,000,000 | ---D | C] -- C:\Program Files\system32
[2010/10/10 08:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mum\Desktop\Stupidd
[2010/10/02 18:00:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mum\Desktop\ChilloutFlyff
[2010/10/02 11:07:56 | 000,000,000 | ---D | C] -- C:\Program Files\Guffins
[2010/10/02 11:07:22 | 000,000,000 | ---D | C] -- C:\Program Files\GuffinsEI
[2010/09/21 21:09:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mum\Desktop\DemonFlyffv16
[2010/09/13 14:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\EA Games
[2010/09/07 17:37:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Help
[2010/09/03 13:33:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mum\Desktop\DemonFlyFF
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/10/17 10:02:36 | 000,201,621 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/10/17 10:02:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/17 09:52:56 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\for scan.doc
[2010/10/17 09:43:24 | 000,436,680 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/17 09:43:24 | 000,069,274 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/16 19:29:15 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mum\Desktop\OTL.exe
[2010/10/16 19:28:01 | 066,468,611 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/10/16 19:15:51 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/14 14:53:00 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/14 14:48:46 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/14 14:27:46 | 000,001,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/10/14 14:27:46 | 000,001,660 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2010/10/14 14:25:34 | 016,266,568 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\winzip145.exe
[2010/10/14 14:20:50 | 000,000,685 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\WinRAR.lnk
[2010/10/14 14:15:26 | 000,285,168 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\gmer.zip
[2010/10/13 18:57:12 | 000,000,681 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\Flyff.lnk
[2010/10/13 13:50:14 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\gmer.exe
[2010/10/10 08:45:06 | 000,000,074 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\New Folder.rar
[2010/10/08 16:24:51 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\iTunes.lnk
[2010/10/05 18:09:40 | 001,364,522 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\wrar393.exe
[2010/10/05 17:55:37 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\dds.scr
[2010/10/05 17:51:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Mum\defogger_reenable
[2010/10/05 17:50:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\Defogger.exe
[2010/10/05 17:37:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/03 19:10:05 | 000,043,391 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Merce Cunningham.pptx
[2010/09/29 20:04:08 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Drum Whistles.doc
[2010/09/26 12:21:16 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Monsters Of Kaliko.doc
[2010/09/25 19:18:28 | 000,001,925 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Apartment Life.lnk
[2010/09/25 19:18:28 | 000,001,334 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\www.thesims3.com.lnk
[2010/09/21 21:15:27 | 000,000,556 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\DemonFlyff16.lnk
[2010/09/17 19:15:34 | 000,001,837 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Seasons.lnk
[2010/09/06 09:01:35 | 000,000,541 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\DemonFlyff.lnk
[2010/09/03 13:32:07 | 871,779,967 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\DemonFlyFFr1.5.rar
[2010/09/02 09:59:08 | 000,064,512 | ---- | M] () -- C:\Documents and Settings\Mum\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/02 09:58:09 | 000,002,336 | ---- | M] () -- C:\WINDOWS\disney.ini
[2010/08/30 12:54:03 | 005,015,680 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Jewelpet_Tinkle_-_Happy_Tinkle.mp3
[2010/08/30 12:13:02 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\the calicco collector.doc
[2010/08/28 18:37:56 | 002,018,816 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\AllodsDownloader20100707.exe
[2010/08/16 19:31:20 | 000,000,337 | ---- | M] () -- C:\Documents and Settings\Mum\Desktop\My Documents.lnk
[2010/08/09 14:47:32 | 000,001,500 | ---- | M] () -- C:\WINDOWS\KA.INI
[2010/07/30 09:38:44 | 000,010,631 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\yumeiro[0]
[2010/07/30 09:37:52 | 000,010,630 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\yumeiro
[2010/07/30 09:33:12 | 000,010,630 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\9897.mp3
[2010/07/25 21:29:06 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Alttgryghrt6uht.doc
[2010/07/19 11:06:06 | 003,441,801 | ---- | M] () -- C:\Documents and Settings\Mum\My Documents\Wheesung Digital Single Insomnia - Insomnia.mp3
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/17 09:52:55 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\for scan.doc
[2010/10/14 14:27:46 | 000,001,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinZip.lnk
[2010/10/14 14:27:46 | 000,001,660 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
[2010/10/14 14:25:34 | 016,266,568 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\winzip145.exe
[2010/10/14 14:15:26 | 000,285,168 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\gmer.zip
[2010/10/13 13:50:14 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\gmer.exe
[2010/10/10 08:45:06 | 000,000,074 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\New Folder.rar
[2010/10/05 18:10:13 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\WinRAR.lnk
[2010/10/05 18:09:37 | 001,364,522 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\wrar393.exe
[2010/10/05 17:55:31 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\dds.scr
[2010/10/05 17:51:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Mum\defogger_reenable
[2010/10/05 17:50:03 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\Defogger.exe
[2010/09/28 21:55:20 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Drum Whistles.doc
[2010/09/26 19:06:40 | 000,043,391 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Merce Cunningham.pptx
[2010/09/25 19:18:28 | 000,001,925 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Apartment Life.lnk
[2010/09/25 19:18:28 | 000,001,334 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\www.thesims3.com.lnk
[2010/09/25 15:18:53 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Monsters Of Kaliko.doc
[2010/09/21 21:15:27 | 000,000,556 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\DemonFlyff16.lnk
[2010/09/17 19:15:34 | 000,001,837 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 2 Seasons.lnk
[2010/09/06 09:01:35 | 000,000,541 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\DemonFlyff.lnk
[2010/09/03 13:27:03 | 871,779,967 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\DemonFlyFFr1.5.rar
[2010/08/30 12:54:02 | 005,015,680 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Jewelpet_Tinkle_-_Happy_Tinkle.mp3
[2010/08/28 18:37:50 | 002,018,816 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\AllodsDownloader20100707.exe
[2010/08/16 19:31:20 | 000,000,337 | ---- | C] () -- C:\Documents and Settings\Mum\Desktop\My Documents.lnk
[2010/07/30 09:38:44 | 000,010,631 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\yumeiro[0]
[2010/07/30 09:37:52 | 000,010,630 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\yumeiro
[2010/07/30 09:33:12 | 000,010,630 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\9897.mp3
[2010/07/25 21:29:06 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Alttgryghrt6uht.doc
[2010/07/19 11:05:57 | 003,441,801 | ---- | C] () -- C:\Documents and Settings\Mum\My Documents\Wheesung Digital Single Insomnia - Insomnia.mp3
[2010/05/02 09:35:19 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2010/05/02 09:35:19 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2009/10/28 13:34:54 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2009/10/28 13:34:54 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2009/07/05 11:40:29 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/06/27 22:31:10 | 000,000,029 | ---- | C] () -- C:\WINDOWS\PControl.ini
[2009/05/23 21:43:33 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2009/05/23 21:43:33 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2009/05/23 21:43:25 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Mum\Application Data\$_hpcst$.hpc
[2009/03/09 20:48:44 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\shellses.dll
[2009/03/07 16:24:19 | 000,000,043 | ---- | C] () -- C:\WINDOWS\T305.ini
[2009/01/17 14:46:21 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2008/12/28 17:52:29 | 000,005,922 | ---- | C] () -- C:\Documents and Settings\Mum\Application Data\prefs.cst
[2008/12/08 17:58:54 | 000,064,512 | ---- | C] () -- C:\Documents and Settings\Mum\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/22 18:01:31 | 000,001,500 | ---- | C] () -- C:\WINDOWS\KA.INI
[2008/09/26 13:00:35 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2008/09/26 13:00:19 | 000,006,211 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2008/07/07 18:31:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/06/28 14:33:13 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2008/05/12 11:44:12 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/05/12 11:41:56 | 000,000,027 | ---- | C] () -- C:\WINDOWS\CDE DX4400DEFGIPS.ini
[2008/04/26 19:42:17 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2008/04/05 16:52:36 | 000,002,336 | ---- | C] () -- C:\WINDOWS\disney.ini
[2007/12/29 22:23:03 | 000,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2007/12/15 15:23:40 | 000,000,032 | ---- | C] () -- C:\WINDOWS\s103.ini
[2007/10/25 17:26:10 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2007/09/13 14:34:30 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\nnr.dll
[2007/06/13 22:46:32 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2007/06/13 22:46:32 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2007/06/13 22:46:30 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2007/06/13 22:46:30 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2007/06/13 22:30:16 | 000,028,254 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2007/06/13 22:28:27 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/06/13 22:28:25 | 000,027,936 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/06/13 22:28:12 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/06/10 00:04:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/04/23 20:38:42 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/23 20:38:42 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/23 20:38:40 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/23 20:38:38 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/23 20:38:36 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/23 20:38:36 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL

========== LOP Check ==========

[2010/07/17 15:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/08/14 07:50:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
[2009/01/10 15:32:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2010/04/22 18:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2007/12/29 22:23:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FirstClass
[2009/08/04 21:50:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GoBit Games
[2008/02/01 22:09:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2008/09/26 13:01:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MAGIX
[2009/07/08 18:55:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Merscom
[2009/05/31 09:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon
[2008/03/28 15:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games
[2010/08/09 14:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Outspark
[2008/01/04 23:05:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/02/10 20:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/07/23 18:46:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/07/27 08:47:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2008/05/12 11:47:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2010/10/14 14:27:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/09/26 13:00:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xara
[2009/03/17 14:26:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/06 09:30:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/17 15:20:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/28 17:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/07/23 21:14:59 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Mum\Application Data\.#
[2009/04/08 21:54:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\AlterLab
[2009/06/11 18:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Amazon
[2010/10/05 16:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\BeachPartyCraze
[2010/08/08 21:51:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\BitComet
[2009/05/07 18:28:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Boolat Games
[2008/06/08 09:30:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\ColorImpact3
[2008/11/24 22:02:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Dark Rock Games
[2008/10/21 10:41:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\EPSON
[2009/12/25 22:43:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\LG Electronics
[2008/06/08 09:31:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\LimeWire
[2008/09/26 13:01:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\MAGIX
[2008/05/25 11:46:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Meridian93
[2008/03/22 22:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\MSNInstaller
[2009/05/31 09:10:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Oberon
[2008/03/28 15:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Oberon Games
[2008/04/30 07:39:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\OfficeUpdate12
[2010/06/06 14:52:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\PetShowCraze
[2009/09/04 18:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\PlayFirst
[2009/05/23 21:43:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Samsung
[2008/01/04 10:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\SecondLife
[2009/08/07 20:05:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\SPORE
[2007/09/12 14:58:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Thunderbird
[2008/07/27 08:47:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\TomTom
[2008/03/10 12:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Ubbupi
[2009/09/25 21:33:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\ViquaSoft
[2010/01/12 22:00:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Virtual City
[2010/10/10 09:52:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mum\Application Data\Zogicy

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[2010/08/31 14:42:52 | 001,852,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/06/10 00:02:05 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/06/10 00:02:05 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/06/10 00:02:05 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2007/06/09 23:17:59 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/11/22 18:52:06 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2007/06/09 23:17:59 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/06/09 23:17:59 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/02/01 13:25:18 | 000,000,047 | ---- | M] () -- C:\kingdom_dbg.txt
[2008/05/12 11:31:31 | 000,000,256 | ---- | M] () -- C:\lxcg.log
[2008/05/12 11:31:32 | 000,001,298 | ---- | M] () -- C:\lxcgscan.log
[2008/05/12 11:32:27 | 000,629,510 | ---- | M] () -- C:\lxcgUNST.csv
[2007/06/09 23:17:59 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/21 22:46:09 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/17 10:02:21 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2008/01/04 16:23:36 | 000,043,328 | ---- | M] () -- C:\playground.log
[2009/11/12 13:37:50 | 000,000,204 | ---- | M] () -- C:\Plugins
[2010/01/01 23:24:36 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2010/01/01 23:28:28 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2010/01/01 23:29:09 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2010/01/01 23:29:20 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2010/01/01 23:29:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2010/01/01 23:29:40 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2010/01/01 23:29:50 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2010/01/04 13:33:08 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2010/01/05 20:18:40 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2010/01/05 20:27:46 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2010/01/06 13:43:59 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2010/01/06 18:34:46 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/12/05 17:29:55 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/12/05 17:30:10 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/12/05 17:30:20 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/12/05 17:30:31 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/12/05 17:40:47 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/12/24 15:52:33 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/12/26 22:17:24 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/12/27 18:18:27 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2010/01/01 23:24:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2010/01/01 23:28:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2010/01/01 23:29:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2010/01/01 23:29:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2010/01/01 23:29:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2010/01/01 23:29:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2010/01/01 23:29:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2010/01/04 13:33:08 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2010/01/05 20:18:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2010/01/05 20:27:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2010/01/06 13:43:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2010/01/06 18:34:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/12/05 17:29:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/12/05 17:30:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/12/05 17:30:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/12/05 17:30:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/12/05 17:40:47 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/12/24 15:52:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/12/26 22:17:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/12/27 18:18:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 20:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Files - Unicode (All) ==========
[2010/07/19 11:08:55 | 010,270,726 | ---- | M] ()(C:\Documents and Settings\Mum\My Documents\[No1 @ 360Kpop] Super Junior - 01 - ? ?? ?? ? ?? (No Other) .mp3) -- C:\Documents and Settings\Mum\My Documents\[No1 @ 360Kpop] Super Junior - 01 - 너 같은 사람 또 없어 (No Other) .mp3
[2010/07/19 11:08:14 | 010,270,726 | ---- | C] ()(C:\Documents and Settings\Mum\My Documents\[No1 @ 360Kpop] Super Junior - 01 - ? ?? ?? ? ?? (No Other) .mp3) -- C:\Documents and Settings\Mum\My Documents\[No1 @ 360Kpop] Super Junior - 01 - 너 같은 사람 또 없어 (No Other) .mp3
[2010/06/27 11:57:21 | 008,652,800 | ---- | M] ()(C:\Documents and Settings\Mum\My Documents\Super Junior - ??? ??? (My All Is In You).mp3) -- C:\Documents and Settings\Mum\My Documents\Super Junior - 사랑이 이렇게 (My All Is In You).mp3
[2010/06/27 11:56:49 | 008,652,800 | ---- | C] ()(C:\Documents and Settings\Mum\My Documents\Super Junior - ??? ??? (My All Is In You).mp3) -- C:\Documents and Settings\Mum\My Documents\Super Junior - 사랑이 이렇게 (My All Is In You).mp3

========== Alternate Data Streams ==========

@Alternate Data Stream - 198 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ED45A20F
@Alternate Data Stream - 196 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A93CBF2B
@Alternate Data Stream - 191 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5F538558
@Alternate Data Stream - 191 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3780BCC3
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:74699137
@Alternate Data Stream - 188 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:89123481
@Alternate Data Stream - 186 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CDFF58FE
@Alternate Data Stream - 185 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5E3FBF9D
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E1982A23
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:700CD00E
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:41099CE9
@Alternate Data Stream - 183 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:00C31200
@Alternate Data Stream - 182 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E54FA796
@Alternate Data Stream - 182 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60D735B2
@Alternate Data Stream - 182 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:444C53BA
@Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D8A7F3FF
@Alternate Data Stream - 181 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BBE01348
@Alternate Data Stream - 180 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8FBE0E9C
@Alternate Data Stream - 180 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B62B91A
@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9084D1D3
@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:48FC7CA3
@Alternate Data Stream - 175 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DAFD38AE
@Alternate Data Stream - 175 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DA3C6C07
@Alternate Data Stream - 174 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70F0A2F4
@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3064D21D
@Alternate Data Stream - 167 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D9F6664C
@Alternate Data Stream - 164 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2B99FE60
@Alternate Data Stream - 156 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5EBA4934
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:74B502CB
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EC381680
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:273A8657
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05816AFA
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A724744F
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9FE30AB2
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35759C73
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:70372429
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF5C4195
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:997E6AF4
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DB23B8E
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AB56A06
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3857ABB7
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6CCBA03D

< End of report >

Attached Files

  • Attached File  OTL.Txt   115.65KB   2 downloads

Edited by etavares, 18 October 2010 - 04:59 PM.


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 18 October 2010 - 05:11 PM

Hello, Carolyn771.

Yes, that is Pando Media Booster...we'll come back to that. First, you have a Ramnit infection. I've personally had mixed results with removing it. If we catch it early it's usually OK, but no guarantees. If you read the below and want to continue, please run Step 1 below.


I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):

Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Carolyn771

Carolyn771
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 23 October 2010 - 09:30 AM

Thank you very much for your reply, in view of what you said I decided to do a complete reformat. My daughter was happy as we managed to attach the printer and print off the stories she had written first, and she now has a faster, clean system.

Regards

Carolyn

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 23 October 2010 - 11:39 AM

Thanks for letting me know.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 28 October 2010 - 04:37 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users