Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Trojan RootKit


  • This topic is locked This topic is locked
46 replies to this topic

#1 ctsmeouwow

ctsmeouwow

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 29 March 2011 - 01:20 PM

Thank you for taking the time to help me. I already started a post: http://www.bleepingcomputer.com/forums/topic387744.html and was told to start a new post here.

Two more things to mention: I was just trying to do a google search and kept being directed. I was trying to use another computer this morning that is connected to our router and it is starting to act funny. I am leaving it off until I can get this straightened out.

I have not finished going through the instructions yet but since my time on the internet is sometimes limited due to the pc crashing and it sometimes takes me a while to get back on, I am posting the results of my attempt to run the DDS.SCR script.

The instructions say to turn off any script blockers but I don't know if I have any or how to do that. I did run it three times--once online and twice in Safe Mode, and got the blue screen dump crash each time. No specific error was mentioned this time. I will continue with the instructions and come back with more but this is what the dump said:

A PROBLEM HAS BEEN DETECTED AND WINDOWS HAS BEEN SHUT DOWN TO PROTECT YOUR COMPUTER. IF THIS IS THE FIRST TIME YOU'VE SEEN THIS STOP ERROR SCREEN, RESTART YOUR COMPUTER. IF THIS SCREEN APPEARS AGAIN, FOLLOW THESE STEPS:

CHECK TO BE SURE YOU HAVE ADEQUATE DISK SPACE. IF A DRIVER IS IDENTIFIED IN THE STOP MESSAGE, DISABLE THE DRIVER OR CHECK WITH THE MANUFACTURER FOR DRIVER UPDATES. TRY CHANGING VIDEO ADAPTERS.

CHECK WITH YOUR HARDWARE VENDOR FOR ANY BIOS UPDATES. DISABLE BIOS MEMOREY OPTIONS SUCH AS CACHING OR SHADOWING. IF YOU NEED TO USE SAFE MODE TO REMOVE OR DISABLE COMPONENTS, RESTART YOUR COMPUTER, PRESS f8 TO SELECT ADVANCED STARTUP OPTIONS + THEN SELECT SAFE MODE.

TECH INFORMATION: STOPS OXOOOOOO1E (OXFFFFFFCOOOOOOD, OXFFFFFF8OOO3OD9703, OXOOOOOOOOOOOOOOOO, OXFFFFFFFFFFFFFFFF)

COLLECTING DATA FOR CRASH DUMP
INITIALIZING DISK FOR CRASH DUMP
BEGINNING DUMP OF PHYSICAL MEMORY
DUMPING PHYSICAL MEMORE TO DISK: 100
PHYSICAL MEMORY DUMP COMPLETE
CONTACT YOUR SYSTEM ADMIN OR TECHNICAL SUPPORT GROUP FOR FURTHER ASSITANCE.
--------
Okay, I ran the GMER scan and it only returned the message GMER HASN'T FOUND ANY SYSTEM MODIFICATIONS. The boxes checked to scan did not look exactly like the instructions because a lot of them were grey and uncheckable. The only boxes checked for this scan were:

Services
Registry
Files
Drive C
ADS

I did notice under the services section that there are a number of disabled drivers. Maybe that's normal but thought I would mention it.

Thank you!

Carole

Edited by Andrew, 29 March 2011 - 03:06 PM.
Mod Edit: Merged OP Reply To Reset Reply Count - AA


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 04 April 2011 - 08:57 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 04 April 2011 - 01:34 PM

Hi Gringo. Thank you for helping me.

My symptoms are that my computer is constantly crashing and I get dump messages constantly (like the one I already posted above). Sometimes I can stay on for a few hours but it takes me numerous tries to get the computer back up. Also, my browser (firefox) and google searches are both randomly redirecting (not always...about 1/4 of the time I would guess.)

I downloaded defogger and disabled the CD Emulation Drivers.

I uninstalled my antivirus and malwarebytes as there was no option to disable them, but I still can't run the DDS. It starts to run in safe mode but then the system crashes and gives me an error like the one I already posted. (I can't cut and paste them because I lose the information on restart).

I downloaded the RRKUnHooker but can't run that either. I get the following error message: "error loading driver NTSTATUS CODE 0xC000036B.

Thank you again for your assistance.

Carole

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 04 April 2011 - 02:31 PM

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 04 April 2011 - 02:55 PM

OTL logfile created on: 4/4/2011 12:47:35 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\ctsmeou\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 65.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): c:\pagefile.sys 4138 5757 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 586.40 Gb Total Space | 450.90 Gb Free Space | 76.89% Space Free | Partition Type: NTFS

Computer Name: CTSMEOU-PC | User Name: ctsmeou | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\ctsmeou\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
PRC - C:\Program Files (x86)\Common Files\aol\1234916905\ee\aolsoftware.exe (AOL Inc.)
PRC - C:\Windows\mHotkey.exe ()
PRC - C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe (IOI)
PRC - C:\Windows\CNYHKey.exe (Creative)
PRC - C:\Windows\ChiFuncExt.exe (Chicony)
PRC - C:\Windows\ModLEDKey.exe (Chicony)
PRC - C:\Program Files (x86)\Common Files\aol\acs\AOLacsd.exe (AOL LLC)


========== Modules (SafeList) ==========

MOD - C:\Users\ctsmeou\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\imagehlp.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\normaliz.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (Ati External Event Utility) -- C:\Windows\SysNative\Ati2evxx.exe (ATI Technologies Inc.)
SRV:64bit: - (ETService) -- C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe ()
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AgereModemAudio) -- C:\Windows\SysNative\agr64svc.exe (Agere Systems)
SRV:64bit: - (yksvc) -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
SRV - (SeaPort) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (GameConsoleService) -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (AOL ACS) -- C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)


========== Driver Services (SafeList) ==========

DRV:64bit: - (WpdUsb) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys (Microsoft Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (yukonx64) -- C:\Windows\SysNative\DRIVERS\yk60x64.sys (Marvell)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (RTSTOR) -- C:\Windows\SysNative\drivers\RTSTOR64.SYS (Realtek Semiconductor Corp.)
DRV:64bit: - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\SysNative\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\DRIVERS\agrsm64.sys (Agere Systems)
DRV:64bit: - (wanatw) WAN Miniport (ATW) -- C:\Windows\SysNative\DRIVERS\wanatw64.sys (America Online, Inc.)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\Wbem\ntfs.mof ()
DRV - (int15) -- C:\Windows\SysWOW64\drivers\int15_64.sys (Acer, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0109&m=dx4200-09
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0109&m=dx4200-09
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kfi640.com/
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.kfi640.com/"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/10/24 08:50:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/03/27 22:51:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/03/27 22:51:26 | 000,000,000 | ---D | M]

[2010/07/24 11:32:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Extensions
[2011/04/04 08:51:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions
[2010/10/12 12:00:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/09 01:51:14 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2010/07/24 11:32:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2009/11/19 14:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 14:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2011/01/03 20:47:54 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll (Google Inc.)
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O3:64bit: - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\Toolbar\WebBrowser: (AOL Toolbar) - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [HostManager] C:\Program Files (x86)\Common Files\AOL\1234916905\ee\AOLSoftware.exe (AOL Inc.)
O4 - HKLM..\Run: [LchDrvKey] C:\Windows\LchDrvKey.exe ()
O4 - HKLM..\Run: [LedKey] C:\Windows\CNYHKey.exe (Creative)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] File not found
O4 - HKLM..\Run: [Smart Copy] C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe (IOI)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: aol.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: kfi640.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: speedycash.com ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ipp - No CLSID value found
O18:64bit: - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\ctsmeou\AppData\Roaming\FastStone\FSIV\FSViewerWallPaper.bmp
O24 - Desktop BackupWallPaper: C:\Users\ctsmeou\AppData\Roaming\FastStone\FSIV\FSViewerWallPaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/24 22:45:53 | 001,555,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2011/03/24 22:45:53 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\DWrite.dll
[2011/03/24 22:45:53 | 000,479,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2011/03/24 22:45:53 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2011/03/24 22:22:54 | 000,000,000 | ---D | C] -- C:\Windows\Registration
[2011/03/24 22:22:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/10 15:00:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6b
[2011/03/10 14:40:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6a
[2011/03/10 14:16:53 | 002,425,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2011/03/10 14:16:53 | 002,067,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2011/03/10 14:16:53 | 000,731,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2011/03/10 14:16:52 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2011/03/10 14:16:49 | 000,559,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/03/10 14:16:49 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/03/10 14:16:49 | 000,416,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbe.dll
[2011/03/10 14:16:49 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbe.dll
[2011/03/10 14:16:49 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2011/03/10 14:16:49 | 000,210,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbeio.dll
[2011/03/10 14:16:49 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2011/03/10 14:16:49 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbeio.dll
[2011/03/10 13:36:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6
[18 C:\Users\ctsmeou\Desktop\*.tmp files -> C:\Users\ctsmeou\Desktop\*.tmp -> ]
[10 C:\Users\ctsmeou\Documents\*.tmp files -> C:\Users\ctsmeou\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/04 12:04:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/04 11:37:49 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0216F5AF-ADB6-4DE5-A233-B9AC8AA477C9}.job
[2011/04/04 11:27:51 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2011/04/04 11:19:51 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/04 11:18:05 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/04/04 11:18:05 | 000,604,264 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/04/04 11:18:05 | 000,103,964 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/04/04 11:13:56 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/04 11:13:56 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/04 11:13:53 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\LogConfigTemp.xml
[2011/04/04 11:13:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/04 11:13:41 | 4025,671,680 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/04 11:13:25 | 437,155,556 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/02 20:45:01 | 000,010,274 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:45:01 | 000,010,274 | -HS- | M] () -- C:\ProgramData\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:00:54 | 000,242,323 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\jcf.exe
[2011/03/30 09:39:06 | 000,000,732 | ---- | M] () -- C:\Users\ctsmeou\AppData\Local\d3d9caps64.dat
[2011/03/30 01:04:10 | 000,000,416 | ---- | M] () -- C:\Users\ctsmeou\Desktop\body - Shortcut.lnk
[2011/03/29 19:27:22 | 000,009,764 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\67880cagp3q
[2011/03/29 19:27:22 | 000,009,764 | -HS- | M] () -- C:\ProgramData\67880cagp3q
[2011/03/29 13:42:44 | 005,315,167 | ---- | M] () -- C:\Users\ctsmeou\Documents\soloc.jpg
[2011/03/29 13:42:13 | 005,166,591 | ---- | M] () -- C:\Users\ctsmeou\Documents\goldenb.jpg
[2011/03/29 13:41:52 | 005,359,290 | ---- | M] () -- C:\Users\ctsmeou\Documents\golden.jpg
[2011/03/29 13:41:27 | 005,467,614 | ---- | M] () -- C:\Users\ctsmeou\Documents\solob.jpg
[2011/03/29 13:41:11 | 005,919,399 | ---- | M] () -- C:\Users\ctsmeou\Documents\solo.jpg
[2011/03/29 13:40:42 | 004,090,122 | ---- | M] () -- C:\Users\ctsmeou\Documents\skipskirt.jpg
[2011/03/29 13:40:24 | 003,614,757 | ---- | M] () -- C:\Users\ctsmeou\Documents\mas.jpg
[2011/03/29 13:39:49 | 003,301,486 | ---- | M] () -- C:\Users\ctsmeou\Documents\skippurse.jpg
[2011/03/29 13:39:26 | 003,998,133 | ---- | M] () -- C:\Users\ctsmeou\Documents\stands.jpg
[2011/03/29 13:39:02 | 002,887,617 | ---- | M] () -- C:\Users\ctsmeou\Documents\pheadc.jpg
[2011/03/29 13:38:48 | 002,186,619 | ---- | M] () -- C:\Users\ctsmeou\Documents\pheadb.jpg
[2011/03/29 13:38:26 | 003,702,393 | ---- | M] () -- C:\Users\ctsmeou\Documents\phead.jpg
[2011/03/29 09:50:09 | 000,000,000 | ---- | M] () -- C:\Users\ctsmeou\defogger_reenable
[2011/03/20 15:44:05 | 004,398,406 | ---- | M] () -- C:\Users\ctsmeou\Documents\stripes.jpg
[2011/03/20 13:47:46 | 002,854,468 | ---- | M] () -- C:\Users\ctsmeou\Documents\jess.jpg
[2011/03/20 13:47:16 | 003,744,031 | ---- | M] () -- C:\Users\ctsmeou\Documents\cats.jpg
[2011/03/20 13:46:25 | 005,244,230 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbc.jpg
[2011/03/20 13:46:02 | 002,317,256 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbd.jpg
[2011/03/20 13:45:51 | 002,143,941 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbe.jpg
[2011/03/20 13:44:58 | 002,672,884 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbb.jpg
[2011/03/20 13:44:47 | 005,778,018 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubb.jpg
[2011/03/20 13:43:50 | 003,409,154 | ---- | M] () -- C:\Users\ctsmeou\Documents\tweety.jpg
[2011/03/20 13:43:18 | 004,553,502 | ---- | M] () -- C:\Users\ctsmeou\Documents\fernb.jpg
[2011/03/20 13:42:59 | 004,692,150 | ---- | M] () -- C:\Users\ctsmeou\Documents\fern.jpg
[2011/03/20 13:42:33 | 003,878,595 | ---- | M] () -- C:\Users\ctsmeou\Documents\flam.jpg
[2011/03/16 12:27:18 | 000,037,376 | ---- | M] () -- C:\Users\ctsmeou\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/10 23:11:48 | 000,026,696 | ---- | M] () -- C:\Users\ctsmeou\Documents\2011-03-09-VUCDT.jpg
[2011/03/10 15:01:47 | 000,000,967 | ---- | M] () -- C:\Users\ctsmeou\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL Desktop 9.6.lnk
[2011/03/10 15:01:47 | 000,000,875 | ---- | M] () -- C:\Users\Public\Desktop\AOL Desktop 9.6.lnk
[2011/03/06 13:18:57 | 004,567,578 | ---- | M] () -- C:\Users\ctsmeou\Documents\purseb.jpg
[2011/03/06 13:18:37 | 004,863,023 | ---- | M] () -- C:\Users\ctsmeou\Documents\purse.jpg
[2011/03/06 13:18:15 | 002,758,875 | ---- | M] () -- C:\Users\ctsmeou\Documents\chops.jpg
[2011/03/06 13:17:36 | 005,681,005 | ---- | M] () -- C:\Users\ctsmeou\Documents\stand.jpg
[2011/03/06 13:16:41 | 003,182,871 | ---- | M] () -- C:\Users\ctsmeou\Documents\staceysuitb.jpg
[2011/03/06 13:16:23 | 003,207,654 | ---- | M] () -- C:\Users\ctsmeou\Documents\staceysuit.jpg
[2011/03/06 13:15:39 | 002,394,952 | ---- | M] () -- C:\Users\ctsmeou\Documents\redb.jpg
[2011/03/06 13:14:53 | 002,757,513 | ---- | M] () -- C:\Users\ctsmeou\Documents\red.jpg
[18 C:\Users\ctsmeou\Desktop\*.tmp files -> C:\Users\ctsmeou\Desktop\*.tmp -> ]
[10 C:\Users\ctsmeou\Documents\*.tmp files -> C:\Users\ctsmeou\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/04 11:26:46 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2011/04/04 10:15:26 | 4025,671,680 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\ProgramData\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:00:54 | 000,242,323 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\jcf.exe
[2011/03/30 01:04:10 | 000,000,416 | ---- | C] () -- C:\Users\ctsmeou\Desktop\body - Shortcut.lnk
[2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\67880cagp3q
[2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\ProgramData\67880cagp3q
[2011/03/29 13:42:42 | 005,315,167 | ---- | C] () -- C:\Users\ctsmeou\Documents\soloc.jpg
[2011/03/29 13:42:12 | 005,166,591 | ---- | C] () -- C:\Users\ctsmeou\Documents\goldenb.jpg
[2011/03/29 13:41:50 | 005,359,290 | ---- | C] () -- C:\Users\ctsmeou\Documents\golden.jpg
[2011/03/29 13:41:26 | 005,467,614 | ---- | C] () -- C:\Users\ctsmeou\Documents\solob.jpg
[2011/03/29 13:39:48 | 003,301,486 | ---- | C] () -- C:\Users\ctsmeou\Documents\skippurse.jpg
[2011/03/29 13:39:01 | 002,887,617 | ---- | C] () -- C:\Users\ctsmeou\Documents\pheadc.jpg
[2011/03/29 13:38:47 | 002,186,619 | ---- | C] () -- C:\Users\ctsmeou\Documents\pheadb.jpg
[2011/03/29 13:38:24 | 003,702,393 | ---- | C] () -- C:\Users\ctsmeou\Documents\phead.jpg
[2011/03/29 09:50:09 | 000,000,000 | ---- | C] () -- C:\Users\ctsmeou\defogger_reenable
[2011/03/24 22:22:43 | 437,155,556 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/20 13:47:45 | 002,854,468 | ---- | C] () -- C:\Users\ctsmeou\Documents\jess.jpg
[2011/03/20 13:46:23 | 005,244,230 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbc.jpg
[2011/03/20 13:46:00 | 002,317,256 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbd.jpg
[2011/03/20 13:45:50 | 002,143,941 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbe.jpg
[2011/03/20 13:44:57 | 002,672,884 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbb.jpg
[2011/03/20 13:43:16 | 004,553,502 | ---- | C] () -- C:\Users\ctsmeou\Documents\fernb.jpg
[2011/03/20 13:42:57 | 004,692,150 | ---- | C] () -- C:\Users\ctsmeou\Documents\fern.jpg
[2011/03/10 23:11:48 | 000,026,696 | ---- | C] () -- C:\Users\ctsmeou\Documents\2011-03-09-VUCDT.jpg
[2011/03/10 14:42:18 | 000,000,967 | ---- | C] () -- C:\Users\ctsmeou\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL Desktop 9.6.lnk
[2011/03/06 13:18:55 | 004,567,578 | ---- | C] () -- C:\Users\ctsmeou\Documents\purseb.jpg
[2011/03/06 13:18:35 | 004,863,023 | ---- | C] () -- C:\Users\ctsmeou\Documents\purse.jpg
[2011/03/06 13:18:14 | 002,758,875 | ---- | C] () -- C:\Users\ctsmeou\Documents\chops.jpg
[2011/03/06 13:16:39 | 003,182,871 | ---- | C] () -- C:\Users\ctsmeou\Documents\staceysuitb.jpg
[2011/03/06 13:16:22 | 003,207,654 | ---- | C] () -- C:\Users\ctsmeou\Documents\staceysuit.jpg
[2010/11/22 23:12:28 | 000,000,064 | ---- | C] () -- C:\Windows\wininit.ini
[2010/09/21 09:09:55 | 000,000,036 | -H-- | C] () -- C:\Windows\SysWow64\f9t.dat
[2010/05/14 01:43:09 | 000,000,732 | ---- | C] () -- C:\Users\ctsmeou\AppData\Local\d3d9caps64.dat
[2010/05/14 01:32:16 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\MSVolumePrMaAn.dll
[2010/01/21 19:09:10 | 000,141,179 | ---- | C] () -- C:\Windows\hpoins14.dat
[2009/11/15 18:12:49 | 000,140,394 | ---- | C] () -- C:\Windows\hpoins14.dat.temp
[2009/11/15 18:12:49 | 000,002,000 | ---- | C] () -- C:\Windows\hpomdl14.dat.temp
[2009/10/22 12:06:42 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/10/20 10:38:02 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/10/20 10:37:28 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/10/20 10:36:56 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/08/24 20:28:42 | 000,000,072 | ---- | C] () -- C:\Windows\ANS2000.INI
[2009/08/24 20:28:42 | 000,000,020 | -H-- | C] () -- C:\Windows\akebook.ini
[2009/08/24 20:28:42 | 000,000,004 | -H-- | C] () -- C:\Windows\a3kebook.ini
[2009/05/14 02:20:24 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/03/31 22:08:33 | 000,037,376 | ---- | C] () -- C:\Users\ctsmeou\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/02 06:23:35 | 000,031,049 | ---- | C] () -- C:\Users\ctsmeou\AppData\Roaming\UserTile.png
[2009/02/18 02:01:14 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009/02/17 17:04:03 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/01/10 09:08:43 | 000,581,120 | ---- | C] () -- C:\Windows\mHotkey.exe
[2009/01/10 09:08:43 | 000,294,912 | ---- | C] () -- C:\Windows\PIC.dll
[2009/01/10 09:08:43 | 000,036,864 | ---- | C] () -- C:\Windows\LchDrvKey.exe
[2009/01/10 09:08:43 | 000,000,870 | ---- | C] () -- C:\Windows\mhotkey_reg.ini
[2009/01/10 09:00:47 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2008/11/03 13:56:52 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2008/11/03 13:19:12 | 003,107,788 | ---- | C] () -- C:\Windows\SysWow64\atiumdva.dat
[2008/01/20 19:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2007/09/19 18:14:41 | 000,002,000 | ---- | C] () -- C:\Windows\hpomdl14.dat
[2006/11/02 08:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 05:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 05:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 02:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

< End of report >

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 04 April 2011 - 03:25 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

If you have any problems come back and let me know

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 04 April 2011 - 04:14 PM

Hi. I disabled my firewall (virus and malware were already uninstalled). I downloaded combofix but it won't run. Tried it four times and it goes into yet another crash dump every time. :(

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 04 April 2011 - 04:31 PM

Hello

run combofix like this please


combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 04 April 2011 - 08:54 PM

Hi. I tried this twice and got this message:

Windows cannot find 'ComboFix'. Make sure you typed the name correctly, and then try again.

I cut and pasted it like you said so am sure it was correct. I did a browse and found it and tried running it from there but that crashed my computer again.

Thank you,

Carole

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 05 April 2011 - 07:31 AM

I want you to download it again and save it to the desktop and try to run it again

after you have tried to run it (and it fails) then run the script again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 05 April 2011 - 10:51 AM

Okay, I downloaded and ran again and crashed again (for the record, I have no option to save to my desktop, I've been running it from the download folder). Then I tried the script again and got the same result as above.

Thanks.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 05 April 2011 - 10:53 AM

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 05 April 2011 - 11:12 AM

I got the OTL.txt (not quite the same name as you posted so I hope it is what you want)

OTL logfile created on: 4/5/2011 9:03:56 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\ctsmeou\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 68.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): c:\pagefile.sys 4138 5757 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 586.40 Gb Total Space | 450.08 Gb Free Space | 76.75% Space Free | Partition Type: NTFS

Computer Name: CTSMEOU-PC | User Name: ctsmeou | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\ctsmeou\Downloads\OTL(2).exe (OldTimer Tools)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
PRC - C:\Program Files (x86)\Common Files\aol\1234916905\ee\aolsoftware.exe (AOL Inc.)
PRC - C:\Windows\mHotkey.exe ()
PRC - C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe (IOI)
PRC - C:\Windows\CNYHKey.exe (Creative)
PRC - C:\Windows\ChiFuncExt.exe (Chicony)
PRC - C:\Windows\ModLEDKey.exe (Chicony)


========== Modules (SafeList) ==========

MOD - C:\Users\ctsmeou\Downloads\OTL(2).exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\imagehlp.dll (Microsoft Corporation)
MOD - C:\Windows\SysWOW64\normaliz.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (Ati External Event Utility) -- C:\Windows\SysNative\Ati2evxx.exe (ATI Technologies Inc.)
SRV:64bit: - (ETService) -- C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe ()
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AgereModemAudio) -- C:\Windows\SysNative\agr64svc.exe (Agere Systems)
SRV:64bit: - (yksvc) -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
SRV - (BBSvc) -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE (Microsoft Corporation.)
SRV - (SeaPort) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (GameConsoleService) -- C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe (WildTangent, Inc.)
SRV - (AOL ACS) -- C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe (AOL LLC)


========== Driver Services (SafeList) ==========

DRV:64bit: - (WpdUsb) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys (Microsoft Corporation)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (yukonx64) -- C:\Windows\SysNative\DRIVERS\yk60x64.sys (Marvell)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (RTSTOR) -- C:\Windows\SysNative\drivers\RTSTOR64.SYS (Realtek Semiconductor Corp.)
DRV:64bit: - (AtiPcie) ATI PCI Express (3GIO) -- C:\Windows\SysNative\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV:64bit: - (AgereSoftModem) -- C:\Windows\SysNative\DRIVERS\agrsm64.sys (Agere Systems)
DRV:64bit: - (wanatw) WAN Miniport (ATW) -- C:\Windows\SysNative\DRIVERS\wanatw64.sys (America Online, Inc.)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\Wbem\ntfs.mof ()
DRV - (Normandy) -- C:\Windows\SysWow64\drivers\Normandy.sys ()
DRV - (int15) -- C:\Windows\SysWOW64\drivers\int15_64.sys (Acer, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0109&m=dx4200-09
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0109&m=dx4200-09
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kfi640.com/
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.kfi640.com/"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 5555
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/10/24 08:50:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/03/27 22:51:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/03/27 22:51:26 | 000,000,000 | ---D | M]

[2010/07/24 11:32:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Extensions
[2011/04/04 08:51:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions
[2010/10/12 12:00:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/09 01:51:14 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Users\ctsmeou\AppData\Roaming\Mozilla\Firefox\Profiles\svyv9208.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2010/07/24 11:32:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2009/11/19 14:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/19 14:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2011/01/03 20:47:54 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll (Google Inc.)
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O3:64bit: - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..\Toolbar\WebBrowser: (AOL Toolbar) - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL L.L.C.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [HostManager] C:\Program Files (x86)\Common Files\AOL\1234916905\ee\AOLSoftware.exe (AOL Inc.)
O4 - HKLM..\Run: [LchDrvKey] C:\Windows\LchDrvKey.exe ()
O4 - HKLM..\Run: [LedKey] C:\Windows\CNYHKey.exe (Creative)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] File not found
O4 - HKLM..\Run: [Smart Copy] C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe (IOI)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: aol.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: kfi640.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\..Trusted Domains: speedycash.com ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab (Java Plug-in 1.6.0_14)
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ipp - No CLSID value found
O18:64bit: - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\ctsmeou\AppData\Roaming\FastStone\FSIV\FSViewerWallPaper.bmp
O24 - Desktop BackupWallPaper: C:\Users\ctsmeou\AppData\Roaming\FastStone\FSIV\FSViewerWallPaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/05 08:40:27 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/03/24 22:45:53 | 001,555,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2011/03/24 22:45:53 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\DWrite.dll
[2011/03/24 22:45:53 | 000,479,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2011/03/24 22:45:53 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2011/03/24 22:22:54 | 000,000,000 | ---D | C] -- C:\Windows\Registration
[2011/03/24 22:22:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/03/10 15:00:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6b
[2011/03/10 14:40:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6a
[2011/03/10 14:16:53 | 002,425,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2011/03/10 14:16:53 | 002,067,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2011/03/10 14:16:53 | 000,731,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2011/03/10 14:16:52 | 000,677,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2011/03/10 14:16:49 | 000,559,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDec.dll
[2011/03/10 14:16:49 | 000,429,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EncDec.dll
[2011/03/10 14:16:49 | 000,416,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbe.dll
[2011/03/10 14:16:49 | 000,322,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbe.dll
[2011/03/10 14:16:49 | 000,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mpg2splt.ax
[2011/03/10 14:16:49 | 000,210,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sbeio.dll
[2011/03/10 14:16:49 | 000,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mpg2splt.ax
[2011/03/10 14:16:49 | 000,153,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sbeio.dll
[2011/03/10 13:36:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AOL Desktop 9.6
[18 C:\Users\ctsmeou\Desktop\*.tmp files -> C:\Users\ctsmeou\Desktop\*.tmp -> ]
[10 C:\Users\ctsmeou\Documents\*.tmp files -> C:\Users\ctsmeou\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/05 09:04:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/05 08:51:11 | 000,703,388 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/04/05 08:51:11 | 000,604,264 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/04/05 08:51:11 | 000,103,964 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/04/05 08:45:23 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\LogConfigTemp.xml
[2011/04/05 08:45:20 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/05 08:45:08 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/05 08:45:08 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/05 08:45:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/05 08:44:56 | 4025,671,680 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/05 08:44:53 | 442,881,764 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/04 18:47:08 | 000,000,438 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0216F5AF-ADB6-4DE5-A233-B9AC8AA477C9}.job
[2011/04/04 18:21:13 | 000,002,259 | ---- | M] () -- C:\Users\ctsmeou\Desktop\ComboFix - Shortcut.lnk
[2011/04/04 11:27:51 | 000,034,560 | ---- | M] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2011/04/02 20:45:01 | 000,010,274 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:45:01 | 000,010,274 | -HS- | M] () -- C:\ProgramData\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:00:54 | 000,242,323 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\jcf.exe
[2011/03/30 09:39:06 | 000,000,732 | ---- | M] () -- C:\Users\ctsmeou\AppData\Local\d3d9caps64.dat
[2011/03/30 01:04:10 | 000,000,416 | ---- | M] () -- C:\Users\ctsmeou\Desktop\body - Shortcut.lnk
[2011/03/29 19:27:22 | 000,009,764 | -HS- | M] () -- C:\Users\ctsmeou\AppData\Local\67880cagp3q
[2011/03/29 19:27:22 | 000,009,764 | -HS- | M] () -- C:\ProgramData\67880cagp3q
[2011/03/29 13:42:44 | 005,315,167 | ---- | M] () -- C:\Users\ctsmeou\Documents\soloc.jpg
[2011/03/29 13:42:13 | 005,166,591 | ---- | M] () -- C:\Users\ctsmeou\Documents\goldenb.jpg
[2011/03/29 13:41:52 | 005,359,290 | ---- | M] () -- C:\Users\ctsmeou\Documents\golden.jpg
[2011/03/29 13:41:27 | 005,467,614 | ---- | M] () -- C:\Users\ctsmeou\Documents\solob.jpg
[2011/03/29 13:41:11 | 005,919,399 | ---- | M] () -- C:\Users\ctsmeou\Documents\solo.jpg
[2011/03/29 13:40:42 | 004,090,122 | ---- | M] () -- C:\Users\ctsmeou\Documents\skipskirt.jpg
[2011/03/29 13:40:24 | 003,614,757 | ---- | M] () -- C:\Users\ctsmeou\Documents\mas.jpg
[2011/03/29 13:39:49 | 003,301,486 | ---- | M] () -- C:\Users\ctsmeou\Documents\skippurse.jpg
[2011/03/29 13:39:26 | 003,998,133 | ---- | M] () -- C:\Users\ctsmeou\Documents\stands.jpg
[2011/03/29 13:39:02 | 002,887,617 | ---- | M] () -- C:\Users\ctsmeou\Documents\pheadc.jpg
[2011/03/29 13:38:48 | 002,186,619 | ---- | M] () -- C:\Users\ctsmeou\Documents\pheadb.jpg
[2011/03/29 13:38:26 | 003,702,393 | ---- | M] () -- C:\Users\ctsmeou\Documents\phead.jpg
[2011/03/29 09:50:09 | 000,000,000 | ---- | M] () -- C:\Users\ctsmeou\defogger_reenable
[2011/03/20 15:44:05 | 004,398,406 | ---- | M] () -- C:\Users\ctsmeou\Documents\stripes.jpg
[2011/03/20 13:47:46 | 002,854,468 | ---- | M] () -- C:\Users\ctsmeou\Documents\jess.jpg
[2011/03/20 13:47:16 | 003,744,031 | ---- | M] () -- C:\Users\ctsmeou\Documents\cats.jpg
[2011/03/20 13:46:25 | 005,244,230 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbc.jpg
[2011/03/20 13:46:02 | 002,317,256 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbd.jpg
[2011/03/20 13:45:51 | 002,143,941 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbe.jpg
[2011/03/20 13:44:58 | 002,672,884 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubbb.jpg
[2011/03/20 13:44:47 | 005,778,018 | ---- | M] () -- C:\Users\ctsmeou\Documents\bubb.jpg
[2011/03/20 13:43:50 | 003,409,154 | ---- | M] () -- C:\Users\ctsmeou\Documents\tweety.jpg
[2011/03/20 13:43:18 | 004,553,502 | ---- | M] () -- C:\Users\ctsmeou\Documents\fernb.jpg
[2011/03/20 13:42:59 | 004,692,150 | ---- | M] () -- C:\Users\ctsmeou\Documents\fern.jpg
[2011/03/20 13:42:33 | 003,878,595 | ---- | M] () -- C:\Users\ctsmeou\Documents\flam.jpg
[2011/03/16 12:27:18 | 000,037,376 | ---- | M] () -- C:\Users\ctsmeou\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/10 23:11:48 | 000,026,696 | ---- | M] () -- C:\Users\ctsmeou\Documents\2011-03-09-VUCDT.jpg
[2011/03/10 15:01:47 | 000,000,967 | ---- | M] () -- C:\Users\ctsmeou\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL Desktop 9.6.lnk
[2011/03/10 15:01:47 | 000,000,875 | ---- | M] () -- C:\Users\Public\Desktop\AOL Desktop 9.6.lnk
[2011/03/06 13:18:57 | 004,567,578 | ---- | M] () -- C:\Users\ctsmeou\Documents\purseb.jpg
[2011/03/06 13:18:37 | 004,863,023 | ---- | M] () -- C:\Users\ctsmeou\Documents\purse.jpg
[2011/03/06 13:18:15 | 002,758,875 | ---- | M] () -- C:\Users\ctsmeou\Documents\chops.jpg
[2011/03/06 13:17:36 | 005,681,005 | ---- | M] () -- C:\Users\ctsmeou\Documents\stand.jpg
[2011/03/06 13:16:41 | 003,182,871 | ---- | M] () -- C:\Users\ctsmeou\Documents\staceysuitb.jpg
[2011/03/06 13:16:23 | 003,207,654 | ---- | M] () -- C:\Users\ctsmeou\Documents\staceysuit.jpg
[2011/03/06 13:15:39 | 002,394,952 | ---- | M] () -- C:\Users\ctsmeou\Documents\redb.jpg
[2011/03/06 13:14:53 | 002,757,513 | ---- | M] () -- C:\Users\ctsmeou\Documents\red.jpg
[18 C:\Users\ctsmeou\Desktop\*.tmp files -> C:\Users\ctsmeou\Desktop\*.tmp -> ]
[10 C:\Users\ctsmeou\Documents\*.tmp files -> C:\Users\ctsmeou\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/04 18:21:13 | 000,002,259 | ---- | C] () -- C:\Users\ctsmeou\Desktop\ComboFix - Shortcut.lnk
[2011/04/04 17:03:22 | 4025,671,680 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/04 11:26:46 | 000,034,560 | ---- | C] () -- C:\Windows\SysWow64\drivers\Normandy.sys
[2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\ProgramData\xknxn4mokk7qve73ognubh4w
[2011/04/02 20:00:54 | 000,242,323 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\jcf.exe
[2011/03/30 01:04:10 | 000,000,416 | ---- | C] () -- C:\Users\ctsmeou\Desktop\body - Shortcut.lnk
[2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\67880cagp3q
[2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\ProgramData\67880cagp3q
[2011/03/29 13:42:42 | 005,315,167 | ---- | C] () -- C:\Users\ctsmeou\Documents\soloc.jpg
[2011/03/29 13:42:12 | 005,166,591 | ---- | C] () -- C:\Users\ctsmeou\Documents\goldenb.jpg
[2011/03/29 13:41:50 | 005,359,290 | ---- | C] () -- C:\Users\ctsmeou\Documents\golden.jpg
[2011/03/29 13:41:26 | 005,467,614 | ---- | C] () -- C:\Users\ctsmeou\Documents\solob.jpg
[2011/03/29 13:39:48 | 003,301,486 | ---- | C] () -- C:\Users\ctsmeou\Documents\skippurse.jpg
[2011/03/29 13:39:01 | 002,887,617 | ---- | C] () -- C:\Users\ctsmeou\Documents\pheadc.jpg
[2011/03/29 13:38:47 | 002,186,619 | ---- | C] () -- C:\Users\ctsmeou\Documents\pheadb.jpg
[2011/03/29 13:38:24 | 003,702,393 | ---- | C] () -- C:\Users\ctsmeou\Documents\phead.jpg
[2011/03/29 09:50:09 | 000,000,000 | ---- | C] () -- C:\Users\ctsmeou\defogger_reenable
[2011/03/24 22:22:43 | 442,881,764 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/03/20 13:47:45 | 002,854,468 | ---- | C] () -- C:\Users\ctsmeou\Documents\jess.jpg
[2011/03/20 13:46:23 | 005,244,230 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbc.jpg
[2011/03/20 13:46:00 | 002,317,256 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbd.jpg
[2011/03/20 13:45:50 | 002,143,941 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbe.jpg
[2011/03/20 13:44:57 | 002,672,884 | ---- | C] () -- C:\Users\ctsmeou\Documents\bubbb.jpg
[2011/03/20 13:43:16 | 004,553,502 | ---- | C] () -- C:\Users\ctsmeou\Documents\fernb.jpg
[2011/03/20 13:42:57 | 004,692,150 | ---- | C] () -- C:\Users\ctsmeou\Documents\fern.jpg
[2011/03/10 23:11:48 | 000,026,696 | ---- | C] () -- C:\Users\ctsmeou\Documents\2011-03-09-VUCDT.jpg
[2011/03/10 14:42:18 | 000,000,967 | ---- | C] () -- C:\Users\ctsmeou\Application Data\Microsoft\Internet Explorer\Quick Launch\AOL Desktop 9.6.lnk
[2011/03/06 13:18:55 | 004,567,578 | ---- | C] () -- C:\Users\ctsmeou\Documents\purseb.jpg
[2011/03/06 13:18:35 | 004,863,023 | ---- | C] () -- C:\Users\ctsmeou\Documents\purse.jpg
[2011/03/06 13:18:14 | 002,758,875 | ---- | C] () -- C:\Users\ctsmeou\Documents\chops.jpg
[2011/03/06 13:16:39 | 003,182,871 | ---- | C] () -- C:\Users\ctsmeou\Documents\staceysuitb.jpg
[2011/03/06 13:16:22 | 003,207,654 | ---- | C] () -- C:\Users\ctsmeou\Documents\staceysuit.jpg
[2010/11/22 23:12:28 | 000,000,064 | ---- | C] () -- C:\Windows\wininit.ini
[2010/09/21 09:09:55 | 000,000,036 | -H-- | C] () -- C:\Windows\SysWow64\f9t.dat
[2010/05/14 01:43:09 | 000,000,732 | ---- | C] () -- C:\Users\ctsmeou\AppData\Local\d3d9caps64.dat
[2010/05/14 01:32:16 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\MSVolumePrMaAn.dll
[2010/01/21 19:09:10 | 000,141,179 | ---- | C] () -- C:\Windows\hpoins14.dat
[2009/11/15 18:12:49 | 000,140,394 | ---- | C] () -- C:\Windows\hpoins14.dat.temp
[2009/11/15 18:12:49 | 000,002,000 | ---- | C] () -- C:\Windows\hpomdl14.dat.temp
[2009/10/22 12:06:42 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/10/20 10:38:02 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/10/20 10:37:28 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/10/20 10:36:56 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/08/24 20:28:42 | 000,000,072 | ---- | C] () -- C:\Windows\ANS2000.INI
[2009/08/24 20:28:42 | 000,000,020 | -H-- | C] () -- C:\Windows\akebook.ini
[2009/08/24 20:28:42 | 000,000,004 | -H-- | C] () -- C:\Windows\a3kebook.ini
[2009/05/14 02:20:24 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/03/31 22:08:33 | 000,037,376 | ---- | C] () -- C:\Users\ctsmeou\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/02 06:23:35 | 000,031,049 | ---- | C] () -- C:\Users\ctsmeou\AppData\Roaming\UserTile.png
[2009/02/18 02:01:14 | 000,005,115 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009/02/17 17:04:03 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2009/01/10 09:08:43 | 000,581,120 | ---- | C] () -- C:\Windows\mHotkey.exe
[2009/01/10 09:08:43 | 000,294,912 | ---- | C] () -- C:\Windows\PIC.dll
[2009/01/10 09:08:43 | 000,036,864 | ---- | C] () -- C:\Windows\LchDrvKey.exe
[2009/01/10 09:08:43 | 000,000,870 | ---- | C] () -- C:\Windows\mhotkey_reg.ini
[2009/01/10 09:00:47 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2008/11/03 13:56:52 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2008/11/03 13:19:12 | 003,107,788 | ---- | C] () -- C:\Windows\SysWow64\atiumdva.dat
[2008/01/20 19:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2007/09/19 18:14:41 | 000,002,000 | ---- | C] () -- C:\Windows\hpomdl14.dat
[2006/11/02 08:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 05:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 05:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 02:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

< End of report >

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:37 AM

Posted 05 April 2011 - 11:23 AM

Run OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :otl
    O4 - HKLM..\Run: [eRecoveryService] File not found
    O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] File not found
    O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\ipp - No CLSID value found
    O18:64bit: - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
    IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kfi640.com/
    IE - HKU\S-1-5-21-2593639916-381421993-2783172376-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    FF - prefs.js..browser.startup.homepage: "http://www.kfi640.com/"
    FF - prefs.js..network.proxy.http: "127.0.0.1"
    FF - prefs.js..network.proxy.http_port: 5555
    FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
    FF - prefs.js..network.proxy.type: 0
    [2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\xknxn4mokk7qve73ognubh4w
    [2011/04/02 20:01:11 | 000,010,274 | -HS- | C] () -- C:\ProgramData\xknxn4mokk7qve73ognubh4w
    [2011/04/02 20:00:54 | 000,242,323 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\jcf.exe
    [2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\Users\ctsmeou\AppData\Local\67880cagp3q
    [2011/03/29 19:25:11 | 000,009,764 | -HS- | C] () -- C:\ProgramData\67880cagp3q
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY] 
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS] 
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know about the redirects when complete


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 05 April 2011 - 01:28 PM

Hi. I ran the fix. It completed and rebooted but the system crash dumped upon starting up and there was not enough time to copy and paste the information from the notepad here. Does it keep a log? I did see where it said that all processes had been killed.

It took me about a dozen more restarts to get back online. But one of the restarts did something different. It ran a CHKDISK before it booted back up and then crashed. I didn't see much of what this said but a couple I did notice is that it said the 2nd NTFS boot sector is unwriteable and that there were no bad sectors in the first boot sector.

I won't know about the redirects for awhile because it doesn't happen always so will have to report back on that. I did notice that my homepage is gone in both IE and firefox--that's okay--I just wanted to note the difference in case it is relevant.

Thank you.

Carole




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users