Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Security 2011 Killing Me - Nothing Works


  • This topic is locked This topic is locked
24 replies to this topic

#1 chiselchest

chiselchest

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 19 April 2011 - 11:23 PM

Greetings folks,

I have been infected with the "Vista Security 2011" virus/malware. I am so frustrated. I am on the verge of just purchasing a new tower.

My OS is Vista (early '06, with auto updates), and I run Zone Alarm security suite, and scan often (but not a deep scan [as I have just learned]). I have not had a single problem in the last 5 years. But this virus seems to have dug itself in quite deep.

I am an average user - not an IT person. The background is this:
* Shortly after switching to IE 9, about 7 days ago, the pop-ups began. The posted often here "scan" with 35 viruses found, click here for fix, etc. I suspected I was infected immediately. I was redirected to other websites prior to the pop-ups, so I was on alert.
* Then every attempt at any website was redirected, later any applications or files would not open (extensions fouled?). It always asked "What program do you want to use to open this?"
* Then I couldn't do anything - access any website (except bleepingcomputer.com), but couldn't even open up my anti-virus or spyware (which would normally open when PC rebooted). I re-booted several times, even in safe mode with networking, and have tried a multitude of combinations.
* Now I can't even download rKill, Malware stuff, or anything. It's downloads the desired app, then quickly goes to the IE page not available page.

I was able to open my anti-virus now, and run a deep scan. But no find...

I downloaded most of the software recommended, but it won't allow me to open it. And when I click on the bleepingcomputer link to get to more software to download, I am re-directed!

I have to admit; I'm so frustrated with this, I might just go buy a new tower...

I've printed out & tried most the solutions I could get, but this thing won't even allow me to access "regedit" in the MS run thingy, safe mode or not...

Should I just buy a new tower?

Thanks for everything here folks, THIS IS the only website my PC can access (100%).

Should I be hopeless?

Edited by chiselchest, 19 April 2011 - 11:29 PM.


BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 20 April 2011 - 03:57 AM

:welcome: to BC!

Let's see if can sort this out.

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

Posted Image

Then select Start OTL. OTL will now run

  • Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
    Select Scan.txt that you downloaded
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Click the Internet Explorer button, post these logs in your Virus Removal topic.


----------------


If you aren't able to download the tools then use another clean computer to download them. Use a flashdrive to transfer them. Before you use the flashdrive you need to do this from the clean computer.


Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 April 2011 - 07:03 PM

Thank you so much for your response!

I could not download any of those, trying different methods. I will try the downloading to clean computer asap. I will then post the mentioned log in the Virus Removal thread.

Thanks again so much!

#4 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 April 2011 - 08:55 PM

I was able to download & run rKill, here are the results:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/20/2011 at 18:52:09.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Users\Mitch's\AppData\Local\syw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe


Rkill completed on 04/20/2011 at 18:52:25.

#5 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 20 April 2011 - 11:10 PM

Again, THANKS in advance...

OK, using a clean PC, I was able to run OTL but couldn't select custom scan "scan.txt", as message stated it couldn't be opened? So I ran "run scan", and "quick scan". It still won't allow me to select scan.txt when double clicking on the custom box, then selecting "scan.txt"...

But here is the log is produced. So these scans are not exactly what was requested.

I also cannot download the malware program suggested here, as I keep getting an "IE cannot load the requested page" message, check internet connection, etc., that message with grey back ground.

PS Could I simply purchase the malware software on a clean PC, and load/run on my infected PC? Would that work?
________________________________
OTL logfile created on: 4/20/2011 9:00:25 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.82 Gb Total Space | 184.19 Gb Free Space | 50.63% Space Free | Partition Type: NTFS
Drive D: | 8.79 Gb Total Space | 0.72 Gb Free Space | 8.18% Space Free | Partition Type: NTFS
Drive F: | 250.10 Mb Total Space | 249.16 Mb Free Space | 99.63% Space Free | Partition Type: FAT

Computer Name: MITCHS-PC | User Name: Mitch's | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/20 20:51:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.scr
PRC - [2011/04/20 20:50:44 | 000,258,560 | ---- | M] (OldTimer Tools) -- F:\OTH.scr
PRC - [2010/07/20 22:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\System32\ZoneLabs\vsmon.exe
PRC - [2010/07/20 22:22:56 | 001,038,848 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/06/15 04:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2010/06/15 04:09:44 | 000,730,600 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2009/07/07 14:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2009/03/06 13:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
PRC - [2009/02/20 10:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/04/20 20:51:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.scr
MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2010/06/15 04:09:52 | 000,640,488 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2010/06/15 04:09:44 | 000,562,664 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.dll
MOD - [2009/03/29 21:42:16 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe4\msvcr80.dll
MOD - [2009/03/29 21:42:16 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4016_none_d0893820442e7fe4\msvcp80.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - [2010/07/20 22:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/06/15 04:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/07/07 14:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2009/03/06 13:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2009/02/20 10:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/06/15 04:09:40 | 000,035,568 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2010/06/15 04:09:40 | 000,026,352 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010/06/09 20:16:08 | 000,462,424 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (vsdatant)
DRV - [2009/10/12 19:15:28 | 000,305,168 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/12 19:15:26 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2009/08/14 06:45:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/08/14 06:45:24 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/07/07 14:48:44 | 000,027,696 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2008/10/08 16:05:16 | 000,003,328 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rcmirror.sys -- (rcmirror)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 21:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/03/19 06:58:50 | 000,101,672 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2005/12/12 10:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)
DRV - [1999/08/12 06:59:08 | 000,034,916 | ---- | M] (Marimba, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\MrtRate.sys -- (mrtRate)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Mitch's\Desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011/03/16 18:11:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2224E955-00E9-4613-A844-CE69FCCAAE91}: C:\Program Files\Internet Saving Optimizer\3.4.0.4340\FF [2009/07/09 19:39:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}: C:\Program Files\Media Access Startup\1.3.0.790\FF [2009/07/09 19:40:01 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Dealio Toolbar) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll (Spigot, Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Media Access Startup) - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - File not found
O2 - BHO: (NP Helper Class) - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll ()
O2 - BHO: (no name) - {67956585-9B5C-4E2B-ABE1-A01BF3046EE1} - No CLSID value found.
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O2 - BHO: (System Search Dispatcher) - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - File not found
O2 - BHO: (SearchSettings Class) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (Dealio Toolbar) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (JuicyAccess Toolbar) - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\JuicyAccess Toolbar\4.1.0.17730\stb0.dll ()
O3 - HKLM\..\Toolbar: (IE Custom Tools) - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - File not found
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (IE Custom Tools) - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - File not found
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [MRC] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: some = C:\Program Files\Video Add-on\icthis.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O13 - gopher Prefix: missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab (PopCapLoader Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.179,93.188.160.239
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Mitch's\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Mitch's\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/25 12:12:32 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{832d44db-a855-11dc-8b3a-001bb9755a2a}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/18 15:57:41 | 000,568,696 | ---- | C] (Google Inc.) -- C:\Users\Mitch's\Desktop\ChromeSetup.exe
[2011/04/17 18:17:55 | 000,692,640 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Users\Mitch's\Desktop\SpyHunter-Installer.exe
[2011/04/06 15:47:42 | 000,162,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/06 15:47:42 | 000,161,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/06 15:47:42 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/06 15:47:41 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/06 15:47:41 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/06 15:47:41 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/06 15:47:41 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/06 15:47:41 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/06 15:47:40 | 003,695,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/06 15:47:40 | 000,434,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/06 15:47:40 | 000,367,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/06 15:47:40 | 000,353,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/06 15:47:40 | 000,223,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/06 15:47:40 | 000,074,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/06 15:47:39 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/06 15:47:39 | 000,580,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/06 15:47:39 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/06 15:47:39 | 000,353,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/06 15:47:39 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/06 15:47:39 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/06 15:47:39 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/06 15:47:39 | 000,078,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/06 15:47:39 | 000,074,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/06 15:47:39 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/06 15:47:39 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/06 15:47:38 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/06 15:47:38 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/06 15:47:38 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/06 15:47:38 | 000,227,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/06 15:47:38 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/06 15:47:38 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/06 15:47:38 | 000,118,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/06 15:47:38 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/06 15:47:38 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/06 15:47:38 | 000,035,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/06 15:47:37 | 000,130,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/06 15:47:37 | 000,110,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/06 15:47:37 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/06 15:47:37 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011/03/24 15:24:25 | 000,000,000 | ---D | C] -- C:\Users\Mitch's\Desktop\RW 6684
[2011/03/23 10:20:05 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2011/03/23 10:20:05 | 000,288,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll

========== Files - Modified Within 30 Days ==========

[2011/04/20 20:58:56 | 000,650,972 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/20 20:58:56 | 000,121,486 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/20 20:45:11 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/20 20:45:11 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/20 20:41:17 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore (5).exe
[2011/04/20 20:36:07 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.8pr3k58.partial
[2011/04/20 20:36:02 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.xqjjzdb.partial
[2011/04/20 20:34:47 | 000,132,597 | ---- | M] () -- C:\Users\Mitch's\Desktop\Flash_Disinfector.exe
[2011/04/20 20:19:00 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/20 18:59:27 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.fyucxpe.partial
[2011/04/20 18:44:47 | 000,013,122 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\1ycw044f0ry3igk042b0613q
[2011/04/20 18:44:47 | 000,013,122 | -HS- | M] () -- C:\ProgramData\1ycw044f0ry3igk042b0613q
[2011/04/20 17:09:10 | 000,000,144 | ---- | M] () -- C:\Windows\System32\pdfl.dat
[2011/04/20 17:06:14 | 000,234,345 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\syw.exe
[2011/04/20 17:06:03 | 000,234,345 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\ukq.exe
[2011/04/20 17:06:02 | 000,234,345 | ---- | M] () -- C:\Users\Mitch's\Desktop\null0.9237901524667503.exe
[2011/04/20 16:54:39 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.25el343.partial
[2011/04/20 16:45:46 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/20 16:45:35 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2011/04/20 16:45:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/20 16:45:05 | 3150,487,552 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/19 20:29:16 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore (4).exe
[2011/04/19 20:27:31 | 000,024,435 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkillaaaaaaaaaaaa.htm
[2011/04/19 20:27:19 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore (3).exe
[2011/04/19 20:26:13 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore (1).exe
[2011/04/19 18:14:33 | 000,004,812 | ---- | M] () -- C:\Users\Mitch's\AppData\Roaming\wklnhst.dat
[2011/04/19 17:45:47 | 000,692,640 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Users\Mitch's\Desktop\SpyHunter-Installer.exe
[2011/04/19 14:51:09 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore (2).exe
[2011/04/19 14:50:39 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkill.exe
[2011/04/19 14:50:39 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkill (1).exe
[2011/04/18 23:51:53 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore.exe
[2011/04/18 23:51:26 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\iExplore.exu (1).exe
[2011/04/18 23:36:43 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkill.com
[2011/04/18 22:59:14 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.z67e0y8.partial
[2011/04/18 19:02:23 | 000,000,164 | ---- | M] () -- C:\Users\Mitch's\Desktop\HELP.url
[2011/04/18 15:57:54 | 000,568,696 | ---- | M] (Google Inc.) -- C:\Users\Mitch's\Desktop\ChromeSetup.exe
[2011/04/17 20:20:14 | 000,012,752 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\438o7362iiuj6587r
[2011/04/17 16:54:53 | 000,012,716 | -HS- | M] () -- C:\ProgramData\438o7362iiuj6587r
[2011/04/16 22:15:27 | 000,133,632 | ---- | M] () -- C:\Users\Mitch's\Desktop\New Crapolla.wps
[2011/04/16 19:33:06 | 000,009,522 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/16 19:33:06 | 000,009,522 | -HS- | M] () -- C:\ProgramData\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/08 23:22:46 | 000,096,768 | ---- | M] () -- C:\Users\Mitch's\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/08 19:32:20 | 281,935,054 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/07 15:12:46 | 000,000,945 | ---- | M] () -- C:\Users\Mitch's\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/06 15:47:51 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2011/04/06 15:47:51 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2011/04/06 15:47:42 | 000,162,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2011/04/06 15:47:42 | 000,161,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2011/04/06 15:47:42 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/04/06 15:47:41 | 000,176,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/04/06 15:47:41 | 000,086,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011/04/06 15:47:41 | 000,076,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2011/04/06 15:47:41 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2011/04/06 15:47:41 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2011/04/06 15:47:40 | 003,695,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2011/04/06 15:47:40 | 000,434,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/04/06 15:47:40 | 000,367,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/04/06 15:47:40 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2011/04/06 15:47:40 | 000,223,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2011/04/06 15:47:40 | 000,074,240 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011/04/06 15:47:39 | 001,427,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011/04/06 15:47:39 | 000,580,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/04/06 15:47:39 | 000,420,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011/04/06 15:47:39 | 000,353,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/04/06 15:47:39 | 000,231,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2011/04/06 15:47:39 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2011/04/06 15:47:39 | 000,150,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2011/04/06 15:47:39 | 000,078,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2011/04/06 15:47:39 | 000,074,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011/04/06 15:47:39 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2011/04/06 15:47:39 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011/04/06 15:47:39 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011/04/06 15:47:38 | 002,382,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/04/06 15:47:38 | 001,797,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/04/06 15:47:38 | 000,716,800 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/04/06 15:47:38 | 000,227,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/04/06 15:47:38 | 000,163,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2011/04/06 15:47:38 | 000,142,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011/04/06 15:47:38 | 000,118,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/04/06 15:47:38 | 000,101,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2011/04/06 15:47:38 | 000,054,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2011/04/06 15:47:38 | 000,035,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2011/04/06 15:47:37 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2011/04/06 15:47:37 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\IEAdvpack.dll
[2011/04/06 15:47:37 | 000,041,472 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011/04/06 15:47:37 | 000,010,752 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe

========== Files Created - No Company Name ==========

[2011/04/20 20:41:11 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore (5).exe
[2011/04/20 20:36:07 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\OTH_scr.8pr3k58.partial
[2011/04/20 20:36:02 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\OTH_scr.xqjjzdb.partial
[2011/04/20 20:34:47 | 000,132,597 | ---- | C] () -- C:\Users\Mitch's\Desktop\Flash_Disinfector.exe
[2011/04/20 18:59:27 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\OTH_scr.fyucxpe.partial
[2011/04/20 17:08:16 | 000,013,122 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\1ycw044f0ry3igk042b0613q
[2011/04/20 17:08:16 | 000,013,122 | -HS- | C] () -- C:\ProgramData\1ycw044f0ry3igk042b0613q
[2011/04/20 17:06:14 | 000,234,345 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\syw.exe
[2011/04/20 17:06:03 | 000,234,345 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\ukq.exe
[2011/04/20 17:05:59 | 000,234,345 | ---- | C] () -- C:\Users\Mitch's\Desktop\null0.9237901524667503.exe
[2011/04/20 16:54:39 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\OTH_scr.25el343.partial
[2011/04/19 20:29:15 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore (4).exe
[2011/04/19 20:27:16 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore (3).exe
[2011/04/19 20:26:11 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore (1).exe
[2011/04/19 20:25:11 | 000,024,435 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkillaaaaaaaaaaaa.htm
[2011/04/19 19:21:15 | 3150,487,552 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/19 14:51:00 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkill (1).exe
[2011/04/19 14:48:48 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore (2).exe
[2011/04/19 14:44:41 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkill.exe
[2011/04/18 23:51:10 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore.exu (1).exe
[2011/04/18 23:20:16 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\iExplore.exe
[2011/04/18 23:19:26 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkill.com
[2011/04/18 22:59:14 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.z67e0y8.partial
[2011/04/18 19:02:15 | 000,000,164 | ---- | C] () -- C:\Users\Mitch's\Desktop\HELP.url
[2011/04/17 16:51:07 | 000,012,752 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\438o7362iiuj6587r
[2011/04/17 16:51:07 | 000,012,716 | -HS- | C] () -- C:\ProgramData\438o7362iiuj6587r
[2011/04/16 18:28:38 | 000,009,522 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/16 18:28:38 | 000,009,522 | -HS- | C] () -- C:\ProgramData\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/06 15:47:39 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/02/23 20:06:14 | 000,000,108 | ---- | C] () -- C:\Windows\VSWizard.ini
[2010/03/04 22:30:57 | 000,032,061 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/04 22:30:26 | 000,032,061 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/02/06 20:46:11 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/01/11 20:34:02 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/21 06:53:40 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/21 06:53:40 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/03/14 20:53:51 | 000,000,144 | ---- | C] () -- C:\Windows\System32\pdfl.dat
[2009/03/14 20:53:51 | 000,000,144 | ---- | C] () -- C:\Windows\System32\lkfl.dat
[2009/03/14 20:53:51 | 000,000,080 | ---- | C] () -- C:\Windows\System32\ibfl.dat
[2008/10/08 16:05:06 | 000,010,752 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2008/09/06 19:04:35 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/05/18 13:30:16 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/05/03 18:14:17 | 000,001,356 | ---- | C] () -- C:\Users\Mitch's\AppData\Local\d3d9caps.dat
[2008/01/14 16:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2008/01/01 08:25:48 | 000,004,812 | ---- | C] () -- C:\Users\Mitch's\AppData\Roaming\wklnhst.dat
[2007/08/02 06:10:32 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2007/07/30 16:40:57 | 000,096,768 | ---- | C] () -- C:\Users\Mitch's\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/13 19:20:37 | 000,000,443 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2007/07/13 19:20:35 | 000,006,838 | ---- | C] () -- C:\Windows\ICOADB32.DAT
[2007/07/13 19:20:35 | 000,000,052 | ---- | C] () -- C:\Windows\intuprof.ini
[2007/04/25 12:01:04 | 000,103,521 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/04/25 11:43:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/04/25 11:39:48 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2007/04/25 11:39:48 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2007/03/06 01:47:24 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/01/12 07:07:48 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2007/01/12 07:07:48 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:47:37 | 000,434,616 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,650,972 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,121,486 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/08/26 14:28:34 | 000,143,360 | ---- | C] () -- C:\Windows\unzip.exe
[2005/08/26 14:28:20 | 000,024,576 | ---- | C] () -- C:\Windows\shortcut.exe
[2005/08/26 14:27:58 | 000,045,056 | ---- | C] () -- C:\Windows\devenum.exe

< End of report >
_________________________
OTL Extras logfile created on: 4/20/2011 9:00:25 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.82 Gb Total Space | 184.19 Gb Free Space | 50.63% Space Free | Partition Type: NTFS
Drive D: | 8.79 Gb Total Space | 0.72 Gb Free Space | 8.18% Space Free | Partition Type: NTFS
Drive F: | 250.10 Mb Total Space | 249.16 Mb Free Space | 99.63% Space Free | Partition Type: FAT

Computer Name: MITCHS-PC | User Name: Mitch's | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 1
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0B8DD758-55A9-428F-920D-11C6CB6A808B}" = lport=445 | protocol=6 | dir=in | app=system |
"{10F8DBDF-68F9-4F73-B28C-1590E7FF47DB}" = rport=137 | protocol=17 | dir=out | app=system |
"{14041FBE-12C6-40B0-9F2D-71F45CF0F484}" = lport=139 | protocol=6 | dir=in | app=system |
"{180AA354-1AB9-4D77-AC0C-29D61A503EFF}" = lport=137 | protocol=17 | dir=in | app=system |
"{19464201-7CF8-41C6-8A6B-A335F550D254}" = rport=445 | protocol=6 | dir=out | app=system |
"{2822F513-9C9B-4868-8FB3-798520650EB4}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{295E0715-19A8-46EF-8CFF-8B06E92EF0F4}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{513DF926-C43F-4515-89A5-94AD10961048}" = rport=139 | protocol=6 | dir=out | app=system |
"{6DACE375-C2FD-4D1D-92E8-4E56BAD8F638}" = lport=138 | protocol=17 | dir=in | app=system |
"{7769D1CA-ADA1-4CF7-951F-DE3FE98D5023}" = rport=138 | protocol=17 | dir=out | app=system |
"{A04A0649-C6D6-45E8-BDB8-3FF89F71DEDF}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01DE4B25-B122-49C7-932A-AA436512E713}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{02B6FE84-B4DA-4E48-BD83-408088A2F1B9}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{0B02C3C8-21F9-41E0-90CC-8328B951B3AB}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{186BE228-21D8-48D2-B76C-AADD798B9C57}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{1927F6A5-3631-439D-80DD-3F97C11CD396}" = protocol=6 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{28DDCB92-AF61-4817-8609-29446E07546B}" = protocol=6 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{3115EBBB-9D3A-4DFB-ACD3-CCE1B4821873}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{35C5308C-DB4A-408D-9431-8A41CA109EC7}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{38C7D160-E8EB-4303-8135-68D229C0B369}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{64B29A1A-C071-424D-A057-5D7094C11F09}" = protocol=17 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{78926337-613C-4514-98E1-4F2E18B1D2FC}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8B077D5C-E878-46A7-9BE8-1A0EA22C466B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{96308A21-3918-420D-938A-EF2F0D66AB87}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{A2FB0875-9FFD-46B7-A1B8-1FBC87DBDFF4}" = protocol=6 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{A456C8BB-7DD2-419E-9B1E-4091DD7A9197}" = protocol=17 | dir=in | app=c:\windows\system32\zonelabs\vsmon.exe |
"{B351C3CE-FCF7-4046-9D3D-10947E8817D2}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{B50EE169-B58B-4C45-9914-680E11F4FCEC}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{BF1A2201-5736-4DDB-973C-F39C8A3970B8}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{CA20AA4D-C568-450F-8BF6-B8CA532082BB}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |
"{D074F0A6-378D-4002-A7DF-4E76B5749E73}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{D196246B-8295-487E-9D7F-90358511C98B}" = protocol=17 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{DB8BB92F-8212-4CD6-A836-DAE52315D488}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F62F5D7D-9A72-446B-86A5-CC702DA548D7}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{FCE80C04-E91C-420B-8226-3E5EB64C6484}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{05AB8EF0-F783-11DF-83AC-001279CD8240}" = Google Earth Plug-in
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0B1AAC97-8563-41D9-AE47-58E6A222F0E1}" = Search Settings 1.2.1
"{0CFD3BAF-9F4D-4D70-BD0B-638EA2504C25}" = PSSWCORE
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1" = Media Access Startup
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{1D975A5E-1126-4F46-A423-41781934A63E}" = JuicyAccess Toolbar
"{1FB52AB3-5987-45a2-85E0-F3EC30DDDC29}}_is1" = Internet Saving Optimizer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 13
"{2990BC81-3B19-4E53-A53E-30DE3F1BFFA8}" = HP Total Care Advisor
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3215EBED-1D06-42fb-A05C-A752A46FB24C}" = Canon MP530
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{4EF6FDB0-3B11-4820-9860-8E08E9965195}" = Snapfish Media Detector
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{61128AC7-BD78-4D62-A114-2EF23856F558}" = Music Transfer Utility Ver.2
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6AF49698-949A-4C89-9B31-041D2CCB5FBD}" = muvee autoProducer 6.0
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{75E71ADD-042C-4F30-BFAC-A9EC42351313}" = Python 2.4.3
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AC0886A-CE48-4EB6-9CC3-4C56D427F2E1}" = Cisco Network Magic
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8CEA85DE-955B-4BF4-87F2-0BAA62821633}" = HP Photosmart Essential2.5
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPROR_{519D9F45-CBF4-4E57-B419-11F196CCA8AE}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
"{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}" = Dealio Toolbar v4.0
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9DBA770F-BF73-4D39-B1DF-6035D95268FC}" = HP Customer Feedback
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.5
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B674F947-56D6-4793-B465-7D7C87E04D0C}" = ImageMixer 3 SE Ver.5 Video Tools
"{C5096216-7703-409E-B85A-8A6EE7395128}}_is1" = System Search Dispatcher
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{DCF9A8CC-6EB4-156B-7E67-BABDACF9218D}" = Family Feud
"{DFE492C4-A9F5-413E-A2CC-6F5F3ACC229F}" = ImageMixer 3 SE Ver.5 Transfer Utility
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{FC467B61-F890-4E29-8585-365DAB66F13E}" = Pure Networks Platform
"AT&T Self Support Tool" = AT&T Self Support Tool
"ATT-PRT22" = ATT-PRT22
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
"DAO 3.5" = DAO 3.5
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Fighter Ace II 1.00" = Microsoft Fighter Ace II
"Flight Simulator 8.0" = Microsoft Flight Simulator 2002
"HP Photosmart Essential" = HP Photosmart Essential 2.0
"IE Custom Tools" = IE Custom Tools
"IE Safety Features" = IE Safety Features
"Information Center" = Information Center
"JuicyAccess Toolbar" = JuicyAccess Toolbar
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MP Navigator 2.2" = Canon MP Navigator 2.2
"MyCamera" = Canon Utilities MyCamera
"NBC Sports" = NBC Sports
"Network MagicUninstall" = Network Magic
"NVIDIA Drivers" = NVIDIA Drivers
"OsdMaestro" = HP On-Screen Cap/Num/Scroll Lock Indicator
"PC-Doctor 5 for Windows" = Hardware Diagnostic Tools
"Quicken Basic 2000" = Quicken Basic 2000
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"Rhapsody" = Rhapsody
"ULTIMATER" = Microsoft Office Ultimate 2007
"VISPROR" = Microsoft Office Visio Professional 2007
"WildTangent hpdesktop Master Uninstall" = My HP Games
"ZoneAlarm Extreme Security" = ZoneAlarm Extreme Security
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

Edited by chiselchest, 21 April 2011 - 01:34 AM.


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 21 April 2011 - 02:05 AM

OK, using a clean PC, I was able to run OTL but couldn't select custom scan "scan.txt", as message stated it couldn't be opened? So I ran "run scan", and "quick scan". It still won't allow me to select scan.txt when double clicking on the custom box, then selecting "scan.txt"...

The scan.txt weren't needed. My mistake, should have taken that out from my post.

Let's see if we can make some progress here then.


From your clean computer do this


Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

:OTL
O2 - BHO: (Dealio Toolbar) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll (Spigot, Inc.)
O2 - BHO: (Media Access Startup) - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - File not found
O2 - BHO: (NP Helper Class) - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll ()
O2 - BHO: (no name) - {67956585-9B5C-4E2B-ABE1-A01BF3046EE1} - No CLSID value found.
O2 - BHO: (System Search Dispatcher) - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - File not found
O2 - BHO: (SearchSettings Class) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (Dealio Toolbar) - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (JuicyAccess Toolbar) - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\JuicyAccess Toolbar\4.1.0.17730\stb0.dll ()
O3 - HKLM\..\Toolbar: (IE Custom Tools) - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - File not found
O3 - HKCU\..\Toolbar\WebBrowser: (IE Custom Tools) - {8113B5DE-F7EB-4154-A311-497FB80D8BD0} - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKCU..\Run: [MRC] File not found
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.179,93.188.160.239
[2011/04/20 20:36:07 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.8pr3k58.partial
[2011/04/20 20:36:02 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.xqjjzdb.partial
[2011/04/20 18:59:27 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.fyucxpe.partial
[2011/04/20 18:44:47 | 000,013,122 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\1ycw044f0ry3igk042b0613q
[2011/04/20 18:44:47 | 000,013,122 | -HS- | M] () -- C:\ProgramData\1ycw044f0ry3igk042b0613q
[2011/04/20 17:06:14 | 000,234,345 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\syw.exe
[2011/04/20 17:06:03 | 000,234,345 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\ukq.exe
[2011/04/20 17:06:02 | 000,234,345 | ---- | M] () -- C:\Users\Mitch's\Desktop\null0.9237901524667503.exe
[2011/04/20 16:54:39 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\OTH_scr.25el343.partial
[2011/04/17 20:20:14 | 000,012,752 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\438o7362iiuj6587r
[2011/04/17 16:54:53 | 000,012,716 | -HS- | M] () -- C:\ProgramData\438o7362iiuj6587r
[2011/04/16 19:33:06 | 000,009,522 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/16 19:33:06 | 000,009,522 | -HS- | M] () -- C:\ProgramData\535pa284a888f77r657skf74n7o6xr1778xf7psx5
[2011/04/18 22:59:14 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.z67e0y8.partial
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify"=-
"InternetSettingsDisableNotify"=-
"AutoUpdateDisableNotify"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride"=DWORD:0
"FirewallOverride"=DWORD:0
:Commands
[purity]
[emptytemp]
[emptyflash]

Save it to your flashdrive as File name: Scan.txt
Save as type: All Files


Move the flashdrive to the infected computer



Start OTH like you did previously and click Kill All Processes, your desktop will go blank.

Posted Image

Then select Start OTL. OTL will now run

  • Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
    Select Scan.txt that you saved to your flashdrive
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog


Note!
The log file is located this folder in case it won't show up. ( It will be named like this - MMDDYYYY_hhmmss.log )

C:\_OTL\Moved Files



If needed transfer it to your clean computer to post it.




Did you get your desktop back?

Edited by heir, 21 April 2011 - 02:06 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 21 April 2011 - 02:20 AM

Thanks so much for your time & help!

I will do this when I get access to a clean PC tomorrow. I will post the results!

Yes, my desktop is OK.

Thanks again!

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 21 April 2011 - 02:34 AM

Yes, my desktop is OK.


If it is, you shouldn't be needing the clean computer.

Do it from your infected computer

Edited by heir, 21 April 2011 - 02:34 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 April 2011 - 12:46 AM

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
File C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
File C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67956585-9B5C-4E2B-ABE1-A01BF3046EE1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67956585-9B5C-4E2B-ABE1-A01BF3046EE1}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
File C:\Program Files\Search Settings\kb128\SearchSettings.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
File C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\ not found.
File C:\Program Files\DoubleD\JuicyAccess Toolbar\4.1.0.17730\stb0.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8113B5DE-F7EB-4154-A311-497FB80D8BD0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8113B5DE-F7EB-4154-A311-497FB80D8BD0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8113B5DE-F7EB-4154-A311-497FB80D8BD0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8113B5DE-F7EB-4154-A311-497FB80D8BD0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings not found.
File C:\Program Files\Search Settings\SearchSettings.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MRC not found.
Starting removal of ActiveX control {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
File C:\Users\Mitch's\Desktop\OTH_scr.8pr3k58.partial not found.
File C:\Users\Mitch's\Desktop\OTH_scr.xqjjzdb.partial not found.
File C:\Users\Mitch's\Desktop\OTH_scr.fyucxpe.partial not found.
File C:\Users\Mitch's\AppData\Local\1ycw044f0ry3igk042b0613q not found.
File C:\ProgramData\1ycw044f0ry3igk042b0613q not found.
File C:\Users\Mitch's\AppData\Local\syw.exe not found.
File C:\Users\Mitch's\AppData\Local\ukq.exe not found.
File C:\Users\Mitch's\Desktop\null0.9237901524667503.exe not found.
File C:\Users\Mitch's\Desktop\OTH_scr.25el343.partial not found.
File C:\Users\Mitch's\AppData\Local\438o7362iiuj6587r not found.
File C:\ProgramData\438o7362iiuj6587r not found.
File C:\Users\Mitch's\AppData\Local\535pa284a888f77r657skf74n7o6xr1778xf7psx5 not found.
File C:\ProgramData\535pa284a888f77r657skf74n7o6xr1778xf7psx5 not found.
File C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.z67e0y8.partial not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UacDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\InternetSettingsDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AutoUpdateDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring not found.
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\"AntiVirusOverride"|DWORD:0 /E!
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\"FirewallOverride"|DWORD:0 /E!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mitch's
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1678614 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Mitch's
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04212011_223722

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\WebEx\Log\421\atashost.log scheduled to be moved on reboot.

Registry entries deleted on Reboot...

#10 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 April 2011 - 12:48 AM

it's worse, pop-ups, keeps closing even this website

Edited by chiselchest, 22 April 2011 - 12:49 AM.


#11 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 April 2011 - 12:51 AM

Edited later: Sorry for making multiple post, I was being knocked off after several seconds when trying to edit post, so I tried replying and got a hit. Below is my edited post while in "safe mode w/networking"...
__________________

I'm in "safe mode w/networking" now, seems to be able to hold a website.

Everything I try to open produces the following message:

"Windows cannot access the specific device, paths or files. You may may not have appropriate permission to access the items"

I ran OTH 3 times (using custom scan "scan.txt" - the first time my PC locked up (I let it stand for over an hour), then had to do a hard boot. No improvement.

Re-ran again as instructed, and got the "reboot" button, selected it, and the problems persisted, even worse. Ran again with same outcome.

The only log I could find for the (latest) date/time ran, was the one posted above. If earlier logs can help, please indicate and I will pist them.

The other file was empty.

I'm current having the worst of my worst problems. File exts seem fouled, redirecting websites (in normal boot), and will not stay on any website, including BleepingComputer.com. It stays (normal boot) on this website for maybe a few seconds, enough to make a VERY quick post, then displays the "IE cannot access the desired website" page.

Hitting the the favorites again reloads the website, but times out again after several seconds. But now in "safe mode w/networking" seems to allow me make this post. No problems now for several minutes...?

I have ran my zone alarm internet security suite MANY times (deep scan), in normal boot, and safe mode. The last couple of times it says it found a trojan virus, but the problem remains worse...

If you have suggestions, I would be extremely gratefull...

THANKS!

PS Malware pop-up even appeared AFTER killing all processess via the OTH software?

PSS Could I load the malware protection/scan program on a safe PC via flash, and run it here?

PSSS One time when I ran OTH "Kill Processes", a pop-up appeared! It morphed in to something like "Vista Internet Security 2011", vrs the original format of "Vista Security 2011". Hope that helps..?

Edited by chiselchest, 22 April 2011 - 01:56 AM.


#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 22 April 2011 - 05:51 AM

PSS Could I load the malware protection/scan program on a safe PC via flash, and run it here?

Yes, you need to do this on your clean computer though.


Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Use the flashdrive to transfer the files.
To do this remember to read the entire post and plan - download all tools that's needed for a post, then go ahead with the steps - saving the logs on to the flashdrive.



The only log I could find for the (latest) date/time ran, was the one posted above. If earlier logs can help, please indicate and I will pist them.

I need to see the first log. It should be located in C:\_OTL\MovedFiles. Please post the content of the oldest log in that folder.

Step 1.
OTL-scan:


Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

Posted Image

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open a notepad windows OTL.Txt that's saved in the same location as OTL.

Step 2.
Rogue Killer:

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 3.
Things I would like to see in your reply:

  • The content of the first fixlog from OTL as described in the top of this post.
  • The content of OTL.txt from step 1.
  • The content of RKreport.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 23 April 2011 - 08:10 AM

  • The content of the first fixlog from OTL as described in the top of this post.
  • The content of OTL.txt from step 1.
  • The content of RKreport.txt from step 2.


The "Quick Scan" Log

OTL logfile created on: 4/23/2011 5:40:09 AM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = F:\
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 363.82 Gb Total Space | 187.00 Gb Free Space | 51.40% Space Free | Partition Type: NTFS
Drive D: | 8.79 Gb Total Space | 0.72 Gb Free Space | 8.18% Space Free | Partition Type: NTFS
Drive F: | 250.10 Mb Total Space | 236.55 Mb Free Space | 94.58% Space Free | Partition Type: FAT

Computer Name: MITCHS-PC | User Name: Mitch's | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/20 20:51:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.scr
PRC - [2011/04/20 20:50:44 | 000,258,560 | ---- | M] (OldTimer Tools) -- F:\OTH.scr
PRC - [2010/07/20 22:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\System32\ZoneLabs\vsmon.exe
PRC - [2010/06/15 04:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2009/07/07 14:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2009/03/06 13:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
PRC - [2009/02/20 10:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/04/20 20:51:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- F:\OTL.scr
MOD - [2010/08/31 08:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (iPod Service)
SRV - [2010/07/20 22:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/06/15 04:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/07/07 14:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2009/03/06 13:59:12 | 000,020,376 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2009/02/20 10:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/06/15 04:09:40 | 000,035,568 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Stopped] -- C:\Program Files\CheckPoint\ZAForceField\AK\icsak.sys -- (icsak)
DRV - [2010/06/15 04:09:40 | 000,026,352 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010/06/09 20:16:08 | 000,462,424 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (vsdatant)
DRV - [2009/10/12 19:15:28 | 000,305,168 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/12 19:15:26 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2009/08/14 06:45:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/08/14 06:45:24 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/07/07 14:48:44 | 000,027,696 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2008/10/08 16:05:16 | 000,003,328 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rcmirror.sys -- (rcmirror)
DRV - [2008/08/01 20:51:14 | 001,052,704 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/05/22 21:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 05:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 05:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/03/19 06:58:50 | 000,101,672 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2005/12/12 10:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PS2.sys -- (Ps2)
DRV - [1999/08/12 06:59:08 | 000,034,916 | ---- | M] (Marimba, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\MrtRate.sys -- (mrtRate)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = C:\Users\Mitch's\Desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011/03/16 18:11:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2224E955-00E9-4613-A844-CE69FCCAAE91}: C:\Program Files\Internet Saving Optimizer\3.4.0.4340\FF [2009/07/09 19:39:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}: C:\Program Files\Media Access Startup\1.3.0.790\FF [2009/07/09 19:40:01 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/09/18 14:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: some = C:\Program Files\Video Add-on\icthis.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O13 - gopher Prefix: missing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Mitch's\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Mitch's\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/25 12:12:32 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{832d44db-a855-11dc-8b3a-001bb9755a2a}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "C:\Users\Mitch's\AppData\Local\etw.exe" -a "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/22 00:15:50 | 000,000,000 | ---D | C] -- C:\Program Files\SonicWallES
[2011/04/22 00:05:15 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/04/17 18:17:55 | 000,692,640 | ---- | C] (Enigma Software Group USA, LLC.) -- C:\Users\Mitch's\Desktop\SpyHunter-Installer.exe
[2011/03/24 15:24:25 | 000,000,000 | ---D | C] -- C:\Users\Mitch's\Desktop\RW 6684

========== Files - Modified Within 30 Days ==========

[2011/04/23 05:32:43 | 000,650,972 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/23 05:32:43 | 000,121,486 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/23 05:25:21 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2011/04/23 05:25:12 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/23 05:25:02 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 05:25:02 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/23 05:24:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/23 05:24:52 | 3152,535,552 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/22 00:10:28 | 000,000,144 | ---- | M] () -- C:\Windows\System32\pdfl.dat
[2011/04/21 23:36:21 | 000,012,924 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\qc8405353sd701s5336o0p
[2011/04/21 23:36:21 | 000,012,924 | -HS- | M] () -- C:\ProgramData\qc8405353sd701s5336o0p
[2011/04/21 22:19:02 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/20 21:35:54 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.np37nwd.partial
[2011/04/20 20:34:47 | 000,132,597 | ---- | M] () -- C:\Users\Mitch's\Desktop\Flash_Disinfector.exe
[2011/04/19 20:27:31 | 000,024,435 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkillaaaaaaaaaaaa.htm
[2011/04/19 18:14:33 | 000,004,812 | ---- | M] () -- C:\Users\Mitch's\AppData\Roaming\wklnhst.dat
[2011/04/19 17:45:47 | 000,692,640 | ---- | M] (Enigma Software Group USA, LLC.) -- C:\Users\Mitch's\Desktop\SpyHunter-Installer.exe
[2011/04/18 23:36:43 | 001,006,778 | ---- | M] () -- C:\Users\Mitch's\Desktop\rkill.com
[2011/04/18 19:02:23 | 000,000,164 | ---- | M] () -- C:\Users\Mitch's\Desktop\HELP.url
[2011/04/16 22:15:27 | 000,133,632 | ---- | M] () -- C:\Users\Mitch's\Desktop\New Crapolla.wps
[2011/04/08 23:22:46 | 000,096,768 | ---- | M] () -- C:\Users\Mitch's\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/08 19:32:20 | 281,935,054 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/07 15:12:46 | 000,000,945 | ---- | M] () -- C:\Users\Mitch's\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/04/06 15:47:51 | 000,008,798 | ---- | M] () -- C:\Windows\System32\icrav03.rat
[2011/04/06 15:47:51 | 000,001,988 | ---- | M] () -- C:\Windows\System32\ticrf.rat
[2011/04/06 15:47:39 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf

========== Files Created - No Company Name ==========

[2011/04/23 05:24:52 | 3152,535,552 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/21 18:24:46 | 000,012,924 | -HS- | C] () -- C:\Users\Mitch's\AppData\Local\qc8405353sd701s5336o0p
[2011/04/21 18:24:46 | 000,012,924 | -HS- | C] () -- C:\ProgramData\qc8405353sd701s5336o0p
[2011/04/20 21:35:54 | 000,000,000 | ---- | C] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.np37nwd.partial
[2011/04/20 20:34:47 | 000,132,597 | ---- | C] () -- C:\Users\Mitch's\Desktop\Flash_Disinfector.exe
[2011/04/19 20:25:11 | 000,024,435 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkillaaaaaaaaaaaa.htm
[2011/04/18 23:19:26 | 001,006,778 | ---- | C] () -- C:\Users\Mitch's\Desktop\rkill.com
[2011/04/18 19:02:15 | 000,000,164 | ---- | C] () -- C:\Users\Mitch's\Desktop\HELP.url
[2011/04/06 15:47:39 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2011/02/23 20:06:14 | 000,000,108 | ---- | C] () -- C:\Windows\VSWizard.ini
[2010/03/04 22:30:57 | 000,032,061 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/04 22:30:26 | 000,032,061 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/02/06 20:46:11 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/01/11 20:34:02 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/21 06:53:40 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/07/21 06:53:40 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/03/14 20:53:51 | 000,000,144 | ---- | C] () -- C:\Windows\System32\pdfl.dat
[2009/03/14 20:53:51 | 000,000,144 | ---- | C] () -- C:\Windows\System32\lkfl.dat
[2009/03/14 20:53:51 | 000,000,080 | ---- | C] () -- C:\Windows\System32\ibfl.dat
[2008/10/08 16:05:06 | 000,010,752 | ---- | C] () -- C:\Windows\System32\rcmirror.dll
[2008/09/06 19:04:35 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/05/18 13:30:16 | 000,000,118 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2008/05/03 18:14:17 | 000,001,356 | ---- | C] () -- C:\Users\Mitch's\AppData\Local\d3d9caps.dat
[2008/01/14 16:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2008/01/01 08:25:48 | 000,004,812 | ---- | C] () -- C:\Users\Mitch's\AppData\Roaming\wklnhst.dat
[2007/08/02 06:10:32 | 000,004,984 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2007/07/30 16:40:57 | 000,096,768 | ---- | C] () -- C:\Users\Mitch's\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/13 19:20:37 | 000,000,443 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2007/07/13 19:20:35 | 000,006,838 | ---- | C] () -- C:\Windows\ICOADB32.DAT
[2007/07/13 19:20:35 | 000,000,052 | ---- | C] () -- C:\Windows\intuprof.ini
[2007/04/25 12:01:04 | 000,103,521 | ---- | C] () -- C:\Windows\hpqins13.dat
[2007/04/25 11:43:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\OsdRemove.exe
[2007/04/25 11:39:48 | 000,327,680 | ---- | C] () -- C:\Windows\System32\pythoncom24.dll
[2007/04/25 11:39:48 | 000,102,400 | ---- | C] () -- C:\Windows\System32\pywintypes24.dll
[2007/03/06 01:47:24 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2007/01/12 07:07:48 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2007/01/12 07:07:48 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:47:37 | 000,434,616 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,650,972 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,121,486 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/08/26 14:28:34 | 000,143,360 | ---- | C] () -- C:\Windows\unzip.exe
[2005/08/26 14:28:20 | 000,024,576 | ---- | C] () -- C:\Windows\shortcut.exe
[2005/08/26 14:27:58 | 000,045,056 | ---- | C] () -- C:\Windows\devenum.exe

========== LOP Check ==========

[2009/05/16 21:05:25 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\#ISW.FS#
[2011/04/11 17:48:51 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\Canon
[2009/10/01 21:32:00 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\CheckPoint
[2008/04/10 11:01:36 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\FUJIFILM
[2008/11/15 12:13:08 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\iWin
[2009/04/01 00:37:38 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\MailFrontier
[2009/05/17 11:25:38 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\NBC Sports
[2009/05/17 11:26:22 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\PokerCreations
[2007/07/13 16:43:30 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\Snapfish
[2008/01/01 08:40:51 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\Template
[2007/07/14 19:50:41 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\WildTangent
[2007/07/14 18:29:50 | 000,000,000 | ---D | M] -- C:\Users\Mitch's\AppData\Roaming\WinBatch
[2011/04/22 00:06:12 | 000,032,636 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

________________________________________________________________________________


Earliest OTL Log

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
File C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}\ not found.
File C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67956585-9B5C-4E2B-ABE1-A01BF3046EE1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67956585-9B5C-4E2B-ABE1-A01BF3046EE1}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDBFB47B-58A8-4111-BF95-06178DCE326D}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\ not found.
File C:\Program Files\Search Settings\kb128\SearchSettings.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}\ not found.
File C:\Program Files\Dealio Toolbar\DealioToolbarIE.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\ not found.
File C:\Program Files\DoubleD\JuicyAccess Toolbar\4.1.0.17730\stb0.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8113B5DE-F7EB-4154-A311-497FB80D8BD0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8113B5DE-F7EB-4154-A311-497FB80D8BD0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8113B5DE-F7EB-4154-A311-497FB80D8BD0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8113B5DE-F7EB-4154-A311-497FB80D8BD0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SearchSettings not found.
File C:\Program Files\Search Settings\SearchSettings.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MRC not found.
Starting removal of ActiveX control {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}\ not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
File C:\Users\Mitch's\Desktop\OTH_scr.8pr3k58.partial not found.
File C:\Users\Mitch's\Desktop\OTH_scr.xqjjzdb.partial not found.
File C:\Users\Mitch's\Desktop\OTH_scr.fyucxpe.partial not found.
File C:\Users\Mitch's\AppData\Local\1ycw044f0ry3igk042b0613q not found.
File C:\ProgramData\1ycw044f0ry3igk042b0613q not found.
File C:\Users\Mitch's\AppData\Local\syw.exe not found.
File C:\Users\Mitch's\AppData\Local\ukq.exe not found.
File C:\Users\Mitch's\Desktop\null0.9237901524667503.exe not found.
File C:\Users\Mitch's\Desktop\OTH_scr.25el343.partial not found.
File C:\Users\Mitch's\AppData\Local\438o7362iiuj6587r not found.
File C:\ProgramData\438o7362iiuj6587r not found.
File C:\Users\Mitch's\AppData\Local\535pa284a888f77r657skf74n7o6xr1778xf7psx5 not found.
File C:\ProgramData\535pa284a888f77r657skf74n7o6xr1778xf7psx5 not found.
File C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.z67e0y8.partial not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UacDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\InternetSettingsDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AutoUpdateDisableNotify not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring not found.
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\"AntiVirusOverride"|DWORD:0 /E!
Unable to set value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\\"FirewallOverride"|DWORD:0 /E!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mitch's
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 350420179 bytes
->Java cache emptied: 25288958 bytes
->Flash cache emptied: 318669 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1350060568 bytes
RecycleBin emptied: 10335563 bytes

Total Files Cleaned = 1,656.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Mitch's
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04212011_182843

Files\Folders moved on Reboot...
C:\Users\Mitch's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J4OBAJ1R\scan[1].htm moved successfully.
C:\Users\Mitch's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\Mitch's\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File move failed. C:\Windows\temp\WebEx\Log\421\atashost.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\avA6AA.tmp not found!
File move failed. C:\Windows\temp\iswift.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\sfdb.dat scheduled to be moved on reboot.
File\Folder C:\Windows\temp\ZLT01818.TMP not found!

Registry entries deleted on Reboot...
_____________________

Rogue Killer txt

RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Mitch's [Admin rights]
Mode: Scan -- Date : 04/23/2011 05:57:06

Bad processes: 0

Registry Entries: 5
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{4129B5DC-99F9-495A-8760-E0646DEAD679} : NameServer (93.188.165.179,93.188.160.239) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[FILEASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Users\Mitch's\AppData\Local\etw.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...]exefile\shell\open\command : ("C:\Users\Mitch's\AppData\Local\etw.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Users\Mitch's\AppData\Local\oyg.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File:
127.0.0.1 localhost
::1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

Edited by chiselchest, 23 April 2011 - 08:12 AM.


#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 23 April 2011 - 09:55 AM

Step 1.
RogueKiller:

Quit all running programs and run RogueKiller once again.

  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.


Step 2.
OTL-fix:

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O35 - HKCU\..exefile [open] -- "C:\Users\Mitch's\AppData\Local\etw.exe" -a "%1" %*
    [2011/04/21 23:36:21 | 000,012,924 | -HS- | M] () -- C:\Users\Mitch's\AppData\Local\qc8405353sd701s5336o0p
    [2011/04/21 23:36:21 | 000,012,924 | -HS- | M] () -- C:\ProgramData\qc8405353sd701s5336o0p
    [2011/04/20 21:35:54 | 000,000,000 | ---- | M] () -- C:\Users\Mitch's\Desktop\mbam-setup_exe&product=29945.np37nwd.partial
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog


Step 3.
MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 4.
Things I would like to see in your reply:

  • The content of the RKreport.txt from step 1.
  • The content of the fixlog from OTL in step 2.
  • The content of the log from MBAM in step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 chiselchest

chiselchest
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 24 April 2011 - 12:26 AM

After completing the steps outlined in post #12, I was able to download and run MBAM. It found 156 problems, and all files were deleted, and system rebooted. Seemed OK, but I had to leave for work.

I just wanted to check to be sure, can I still perform the steps requested in post #14?

Hate to create a new reply here, but I wanted that to be known. (Patiently) awaiting a response before I do anything...

Thanks so much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users