Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSkiller not running, Google Redirects, Sound card/Displays changing


  • This topic is locked This topic is locked
15 replies to this topic

#1 Sami.ha

Sami.ha

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 23 April 2011 - 03:40 PM

Hello,

I know you've probably heard it before, but please help! I'm new here, and I wasn't sure what I could say that was different. But it seems like I'm having the same problem as everyone else here. My problem, and this one: http://www.bleepingcomputer.com/forums/topic392645.html -- Seem quite similar, but I didn't want to try anything by myself, so if anyone could help me I'd be very very grateful!

My computer also wont run tdsskiller, stops at 80% initialization and then crashes, I've tried other rootkit removers and they all come out clean, same with virus/malware scans, it seems like everything is cleared out but it's obvious I still have a virus since google keeps redirecting, systems keep crashing, my sound and display keeps altering as well, and the Generic Host Process for Win 32 crashing keeps coming up...

Please if someone could give me some ideas on what to do? I see lots of similar topics but I'm scared to try anything on my own...

Thank you!

Sorry about that, I didn't read the part about the logs. Here are mine:

DDS Log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User1 at 16:11:31.07 on Sat 04/23/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
.
============== Running Processes ===============
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\32788R22FWJFW\License\FireFox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\User1\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?o=102163&l=dis
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
mWinlogon: SFCDisable=4 (0x4)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\documents and settings\user1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\9wlmhczf.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\user1\application data\mozilla\firefox\profiles\9wlmhczf.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\user1\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user1\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\user1\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Private Browsing Window: privatebrowsingwindow@jesjmsoftware - %profile%\extensions\privatebrowsingwindow@jesjmsoftware
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R? biwxgyjs;biwxgyjs
R? cerc6;cerc6
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? MEMSWEEP2;MEMSWEEP2
R? MpKsle85f7000;MpKsle85f7000
R? sdAuxService;PC Tools Auxiliary Service
R? sdCoreService;PC Tools Security Service
R? XIRLINK;eVision 123 digital camera
S? aswFsBlk;aswFsBlk
S? aswSnx;aswSnx
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? PCTCore;PCTools KDS
S? pctDS;PC Tools Data Store
.
=============== Created Last 30 ================
.
2011-04-23 21:26:37 98816 ----a-w- c:\windows\sed.exe
2011-04-23 21:26:37 89088 ----a-w- c:\windows\MBR.exe
2011-04-23 21:26:37 256512 ----a-w- c:\windows\PEV.exe
2011-04-23 21:26:37 161792 ----a-w- c:\windows\SWREG.exe
2011-04-23 21:25:40 -------- d-s---w- C:\ComboFix
2011-04-23 04:37:06 -------- d-----w- c:\docume~1\user1\applic~1\Uniblue
2011-04-23 04:36:54 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-04-23 04:36:53 -------- d-----w- c:\program files\Uniblue
2011-04-23 04:36:34 -------- d-----w- c:\docume~1\user1\locals~1\applic~1\PackageAware
2011-04-23 04:30:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-23 04:30:34 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-23 04:30:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-22 23:51:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-22 23:06:21 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-22 23:04:52 40112 ----a-w- c:\windows\avastSS.scr
2011-04-22 23:04:32 -------- d-----w- c:\program files\AVAST Software
2011-04-22 23:04:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
2011-04-22 20:08:48 -------- d-----w- c:\windows\LMI1BA.tmp
2011-04-22 20:08:09 -------- d-----w- c:\windows\LMI1B9.tmp
2011-04-22 04:15:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-04-22 03:50:41 -------- d-----w- c:\program files\Sophos
2011-04-11 18:31:47 -------- d-----w- c:\program files\ddd
2011-04-11 18:07:04 -------- d-----w- c:\docume~1\user1\applic~1\QuickScan
2011-04-11 17:45:06 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-04-11 17:45:06 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-04-11 17:45:05 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-04-11 17:45:02 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-04-11 17:45:02 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-04-11 17:44:56 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-04-11 17:44:45 -------- d-----w- c:\program files\common files\PC Tools
2011-04-11 17:44:44 -------- d-----w- c:\program files\PC Tools Security
2011-04-11 17:44:44 -------- d-----w- c:\docume~1\user1\applic~1\PC Tools
2011-04-11 17:44:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-04-11 11:01:53 -------- d-----w- c:\windows\system32\LogFiles
2011-04-10 20:24:03 -------- d-----w- c:\docume~1\user1\applic~1\Malwarebytes
2011-04-10 20:23:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-10 20:23:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-10 20:23:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-10 20:23:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-10 19:04:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\pJk31001cBiNm31001
2011-04-08 19:29:29 -------- d-----w- c:\docume~1\user1\applic~1\PrimoPDF
2011-04-08 19:22:12 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-04-08 19:22:07 -------- d-----w- c:\program files\Nitro PDF
2011-04-07 05:23:51 -------- d-----w- c:\program files\MSECache
.
==================== Find3M ====================
.
2011-04-23 04:13:03 1409 ----a-w- c:\windows\QTFont.for
2011-03-14 17:05:05 695578 ----a-w- c:\windows\system32\unins000.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 00:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2064384 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160823ASG rev.3.AAB -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x864D1730]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864d7a10]; MOV EAX, [0x864d7a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86518AB8]
3 CLASSPNP[0xF761DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8656D920]
5 PCTCore[0xF73C2099] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86570940]
\Driver\atapi[0x8654A270] -> IRP_MJ_CREATE -> 0x864D1730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x864D157B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:12:59.93 ===============

GMER log attached...

Attached Files


Edited by Sami.ha, 23 April 2011 - 07:14 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 01 May 2011 - 08:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 03 May 2011 - 12:28 PM

Whew, below 5 days! Sorry about being a little late, I appreciate any help you can give me Myrti! (Wow I don't know what this report totally means, but i think it shows how many things I've downloaded to try to get this fixed lol *ouch* ...)

Here's the two reports:

OTL.txt


[2010/12/04 22:00:02 | 000,000,000 | ---D | M] (Private Browsing Window Helper) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\g0gge0zw.private_browsing\extensions\privatebrowsingwindow-child@jesjmsoftware
[2011/05/03 12:13:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/06 22:38:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/11 12:34:33 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/04/22 17:04:59 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2011/02/03 16:20:37 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2011/02/03 16:20:37 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2010/12/06 22:38:02 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/12/06 22:38:01 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003..\Run: [RegistryBooster] C:\Program Files\Uniblue\RegistryBooster\launcher.exe (Uniblue Systems Limited)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.91.3.60 66.112.11.87
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/11/09 21:37:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{05d984db-ed61-11df-a59d-0015c516ed95}\Shell\AutoRun\command - "" = setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1708537768-1757981266-1417001333-1003\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PEVSystemStart - Service
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: procexp90.Sys - Driver
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 8.5.1
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 8.5.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4b218e3e-bc98-4770-93d3-2731b9329278} - %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - %SystemRoot%\system32\ie4uinit.exe
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.D263 - C:\WINDOWS\System32\xl_x263dec.dll (Xirlink, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.XJPG - C:\WINDOWS\System32\camfc.dll (Xirlink)
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\xl_yv12.dll (Xirlink, Inc.)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/05/03 12:16:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User1\Desktop\OTL.exe
[2011/04/23 16:16:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Desktop\gmer
[2011/04/23 15:26:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/23 15:26:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/23 15:26:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/23 15:26:37 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/23 15:25:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/23 15:25:40 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/04/23 15:25:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/23 15:24:43 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/04/22 22:44:03 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User1\Desktop\blahblah.com.exe
[2011/04/22 22:37:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\Uniblue
[2011/04/22 22:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Uniblue
[2011/04/22 22:36:54 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
[2011/04/22 22:36:53 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2011/04/22 22:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Local Settings\Application Data\PackageAware
[2011/04/22 22:30:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hitman Pro 3.5
[2011/04/22 22:30:34 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/04/22 22:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/04/22 22:28:39 | 006,449,984 | ---- | C] (SurfRight B.V.) -- C:\Documents and Settings\User1\Desktop\HitmanPro35.exe
[2011/04/22 17:51:45 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/04/22 17:06:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2011/04/22 17:06:41 | 000,019,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/04/22 17:06:39 | 000,307,288 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/04/22 17:06:30 | 000,025,432 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/04/22 17:06:28 | 000,049,240 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/04/22 17:06:21 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/04/22 17:06:19 | 000,102,488 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/04/22 17:06:18 | 000,096,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/04/22 17:06:16 | 000,030,680 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/04/22 17:04:52 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/04/22 17:04:51 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/04/22 17:04:32 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/04/22 17:04:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/04/22 14:09:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2011/04/22 08:49:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/21 22:31:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Real
[2011/04/21 22:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/04/21 21:50:41 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/04/21 21:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/21 21:33:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/21 21:26:59 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User1\Desktop\dddseddr.com.exe
[2011/04/21 18:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/21 18:53:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/11 12:31:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ddd
[2011/04/11 12:31:47 | 000,000,000 | ---D | C] -- C:\Program Files\ddd
[2011/04/11 12:07:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\QuickScan
[2011/04/11 11:45:06 | 000,656,320 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctEFA.sys
[2011/04/11 11:45:06 | 000,338,880 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctDS.sys
[2011/04/11 11:45:05 | 000,249,616 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2011/04/11 11:45:02 | 000,239,168 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2011/04/11 11:45:02 | 000,160,448 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2011/04/11 11:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2011/04/11 11:44:56 | 000,070,536 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2011/04/11 11:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2011/04/11 11:44:44 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2011/04/11 11:44:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\PC Tools
[2011/04/11 11:44:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/04/11 11:44:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/04/11 05:01:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2011/04/10 14:24:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\Malwarebytes
[2011/04/10 14:23:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/10 14:23:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/10 14:23:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/10 14:23:44 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/10 14:23:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/10 13:38:27 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/04/10 13:04:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pJk31001cBiNm31001
[2011/04/08 13:29:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\PrimoPDF
[2011/04/08 13:22:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PrimoPDF
[2011/04/08 13:22:07 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2011/04/06 23:23:51 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/03 12:17:05 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/05/03 12:16:37 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User1\Desktop\OTL.exe
[2011/05/03 12:16:09 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/03 12:15:04 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/03 12:03:24 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/05/03 12:03:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/03 12:02:58 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/03 12:02:58 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-1757981266-1417001333-1003.job
[2011/05/03 12:02:57 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-1757981266-1417001333-1003.job
[2011/05/03 12:02:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/24 12:34:05 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1757981266-1417001333-1003UA.job
[2011/04/23 16:16:02 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\gmer.zip
[2011/04/23 16:10:28 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\dds.scr
[2011/04/23 16:09:36 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User1\defogger_reenable
[2011/04/23 16:07:45 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\Defogger.exe
[2011/04/23 15:28:04 | 004,325,230 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\ComboFix.exe
[2011/04/22 22:51:19 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2011/04/22 22:44:26 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User1\Desktop\blahblah.com.exe
[2011/04/22 22:36:59 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Uniblue RegistryBooster.lnk
[2011/04/22 22:36:59 | 000,001,719 | ---- | M] () -- C:\Documents and Settings\User1\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/04/22 22:29:36 | 006,449,984 | ---- | M] (SurfRight B.V.) -- C:\Documents and Settings\User1\Desktop\HitmanPro35.exe
[2011/04/22 22:13:03 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/04/22 22:13:03 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2011/04/22 21:59:43 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/04/22 17:52:54 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/04/22 17:06:43 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/04/22 17:06:20 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/04/22 11:47:06 | 000,005,992 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/04/22 09:07:26 | 000,000,328 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2011/04/21 21:27:26 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\User1\Desktop\dddseddr.com.exe
[2011/04/20 04:34:02 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1757981266-1417001333-1003Core.job
[2011/04/18 11:25:12 | 000,040,112 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/04/18 11:25:10 | 000,199,304 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/04/18 11:17:46 | 000,441,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/04/18 11:17:34 | 000,307,288 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/04/18 11:16:18 | 000,049,240 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/04/18 11:16:06 | 000,102,488 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/04/18 11:16:02 | 000,096,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/04/18 11:13:21 | 000,025,432 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/04/18 11:13:02 | 000,030,680 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/04/18 11:12:58 | 000,019,544 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/04/14 02:04:21 | 048,297,126 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Ahlebayt.pdf
[2011/04/11 12:01:47 | 000,011,658 | -HS- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\52127crj46v8gbyx8xrk6j27r0jjxu46ym024ki11u
[2011/04/11 12:01:47 | 000,011,658 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\52127crj46v8gbyx8xrk6j27r0jjxu46ym024ki11u
[2011/04/11 11:45:01 | 000,001,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2011/04/11 11:18:50 | 000,011,770 | -HS- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\dlc23xd14500s0f123
[2011/04/11 11:18:50 | 000,011,770 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\dlc23xd14500s0f123
[2011/04/10 14:23:56 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/10 12:30:42 | 000,005,388 | ---- | M] () -- C:\Documents and Settings\User1\.recently-used.xbel
[2011/04/09 11:06:02 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/08 13:30:18 | 000,073,682 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Ghurabaa-lyrics.pdf
[2011/04/08 13:22:27 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2011/04/08 13:22:11 | 000,000,314 | ---- | M] () -- C:\WINDOWS\primopdf.ini
[2011/04/05 11:37:59 | 000,060,416 | ---- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/23 16:15:59 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\gmer.zip
[2011/04/23 16:10:26 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\dds.scr
[2011/04/23 16:09:36 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User1\defogger_reenable
[2011/04/23 16:07:45 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\Defogger.exe
[2011/04/23 15:26:37 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/23 15:26:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/23 15:26:37 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/23 15:26:37 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/23 15:26:37 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/23 14:24:45 | 004,325,230 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\ComboFix.exe
[2011/04/22 22:37:13 | 000,000,264 | ---- | C] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/04/22 22:36:59 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Uniblue RegistryBooster.lnk
[2011/04/22 22:36:59 | 000,001,719 | ---- | C] () -- C:\Documents and Settings\User1\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/04/22 22:30:39 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/04/22 22:30:35 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2011/04/22 17:06:43 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2011/04/22 08:47:09 | 000,000,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpfr2.cfg
[2011/04/22 08:41:09 | 000,005,992 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2011/04/14 02:04:22 | 048,297,126 | ---- | C] () -- C:\Documents and Settings\User1\My Documents\Ahlebayt.pdf
[2011/04/11 11:45:01 | 000,001,664 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2011/04/11 11:18:50 | 000,011,658 | -HS- | C] () -- C:\Documents and Settings\User1\Local Settings\Application Data\52127crj46v8gbyx8xrk6j27r0jjxu46ym024ki11u
[2011/04/11 11:18:50 | 000,011,658 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\52127crj46v8gbyx8xrk6j27r0jjxu46ym024ki11u
[2011/04/11 05:01:41 | 000,011,770 | -HS- | C] () -- C:\Documents and Settings\User1\Local Settings\Application Data\dlc23xd14500s0f123
[2011/04/11 05:01:41 | 000,011,770 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\dlc23xd14500s0f123
[2011/04/10 14:23:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/10 12:30:42 | 000,005,388 | ---- | C] () -- C:\Documents and Settings\User1\.recently-used.xbel
[2011/04/08 13:30:16 | 000,073,682 | ---- | C] () -- C:\Documents and Settings\User1\My Documents\Ghurabaa-lyrics.pdf
[2011/04/08 13:22:27 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2011/04/08 13:22:12 | 000,180,624 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2011/03/14 11:05:11 | 000,695,578 | ---- | C] () -- C:\WINDOWS\System32\unins000.exe
[2011/03/14 11:05:11 | 000,001,028 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
[2011/02/09 22:03:48 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2010/12/25 14:10:01 | 000,000,678 | ---- | C] () -- C:\WINDOWS\bundle.ini
[2010/12/23 14:21:31 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/22 15:12:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/12/07 00:02:52 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\User1\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/06 19:47:46 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/12/04 21:54:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/11/11 01:02:33 | 000,000,022 | ---- | C] () -- C:\WINDOWS\Kruptos.INI
[2010/11/09 22:19:35 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2010/11/09 22:19:34 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2010/11/09 22:19:34 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2010/11/09 22:13:43 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2010/11/09 22:06:45 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2010/11/09 21:40:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/11/09 21:34:32 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/09 16:22:27 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/09 16:21:14 | 000,262,232 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/04/14 01:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 01:00:00 | 000,432,924 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 01:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 01:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 01:00:00 | 000,067,714 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 01:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 01:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 01:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 01:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 01:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/04/15 05:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 05:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/14 01:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 01:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2008/04/14 01:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 01:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 01:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Files - Unicode (All) ==========
[2011/03/02 01:16:39 | 000,023,040 | ---- | M] ()(C:\Documents and Settings\User1\My Documents\???????? ????????? ?????? ??????????? ????????.doc) -- C:\Documents and Settings\User1\My Documents\إِنَّمَا الصَّبْرُ عِنْدَ الصَّدْمَةِ الأُولَى.doc
[2011/03/02 01:16:38 | 000,023,040 | ---- | C] ()(C:\Documents and Settings\User1\My Documents\???????? ????????? ?????? ??????????? ????????.doc) -- C:\Documents and Settings\User1\My Documents\إِنَّمَا الصَّبْرُ عِنْدَ الصَّدْمَةِ الأُولَى.doc
[2011/01/14 18:56:56 | 004,327,552 | ---- | M] ()(C:\Documents and Settings\User1\My Documents\?? ??? ?? ???.mp3) -- C:\Documents and Settings\User1\My Documents\لا تقل هم قسى.mp3
[2011/01/14 18:55:12 | 004,327,552 | ---- | C] ()(C:\Documents and Settings\User1\My Documents\?? ??? ?? ???.mp3) -- C:\Documents and Settings\User1\My Documents\لا تقل هم قسى.mp3

========== Alternate Data Streams ==========

@Alternate Data Stream - 171 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >


And Extras.txt


OTL Extras logfile created on: 5/3/2011 12:17:23 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\User1\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 466.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 35.05 Gb Free Space | 70.11% Space Free | Partition Type: NTFS
Drive E: | 49.33 Gb Total Space | 49.21 Gb Free Space | 99.74% Space Free | Partition Type: NTFS
Drive F: | 49.71 Gb Total Space | 49.57 Gb Free Space | 99.73% Space Free | Partition Type: NTFS

Computer Name: DELL-E-1505 | User Name: User1 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.inf [@ = inffile] -- Reg Error: Key error. File not found
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1708537768-1757981266-1417001333-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
inffile [open] -- Reg Error: Key error.
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4"
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [hitmanpro] -- "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" "%1\"
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Documents and Settings\User1\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\User1\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{005F78AF-110D-398A-8430-BE98950A1E22}" = Google Talk Plugin
"{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}" = Uniblue RegistryBooster
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 22
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{7E44C354-10A8-4214-9C56-F3F00775E415}_is1" = Stykz for Windows 1.0.2
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F8750FA5-A7C8-4ED7-AD9C-B989BF7C21DB}" = Prentice Hall Realidades Interactive Textbook CD-ROM
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Audacity_is1" = Audacity 1.2.6
"avast" = avast! Free Antivirus
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"DivX Setup.divx.com" = DivX Setup
"Google Chrome" = Google Chrome
"HDMI" = Intel® Graphics Media Accelerator Driver
"HitmanPro35" = Hitman Pro 3.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"QuickTime" = QuickTime
"RealPlayer 12.0" = RealPlayer
"Shockwave" = Shockwave
"Spyware Doctor" = Spyware Doctor 8.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uniblue RegistryBooster" = Uniblue RegistryBooster
"VLC media player" = VLC media player 1.0.1
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1708537768-1757981266-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/22/2011 7:45:04 PM | Computer Name = DELL-E-1505 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/22/2011 7:45:06 PM | Computer Name = DELL-E-1505 | Source = MPSampleSubmission | ID = 5000
Description =

Error - 4/22/2011 9:16:17 PM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x000066e0.

Error - 4/22/2011 9:23:21 PM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1001
Description = Fault bucket 1740885583.

Error - 4/23/2011 12:15:53 AM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module mshtml.dll, version 6.0.2900.6058, fault address 0x000696ae.

Error - 4/23/2011 12:46:52 AM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application blahblah.com.exe, version 2.4.21.0, faulting
module blahblah.com.exe, version 2.4.21.0, fault address 0x00056ec9.

Error - 4/23/2011 12:59:27 AM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application blahblah.com.exe, version 2.4.21.0, faulting
module blahblah.com.exe, version 2.4.21.0, fault address 0x00056ec9.

Error - 4/23/2011 1:24:31 AM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.1.0.112, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 4/23/2011 1:58:52 PM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00022235.

Error - 4/24/2011 2:04:26 PM | Computer Name = DELL-E-1505 | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00022235.

[ System Events ]
Error - 4/24/2011 3:35:11 AM | Computer Name = DELL-E-1505 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 4/24/2011 1:47:12 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/24/2011 1:47:12 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/24/2011 1:47:12 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 4/24/2011 5:33:16 PM | Computer Name = DELL-E-1505 | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 4/24/2011 6:17:28 PM | Computer Name = DELL-E-1505 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/3/2011 2:02:54 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 5/3/2011 2:02:54 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 5/3/2011 2:02:54 PM | Computer Name = DELL-E-1505 | Source = NetBT | ID = 4311
Description = Initialization failed because the driver device could not be created.

Error - 5/3/2011 2:03:53 PM | Computer Name = DELL-E-1505 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

Edited by Sami.ha, 03 May 2011 - 02:06 PM.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 03 May 2011 - 02:02 PM

Hi,
yes I can tell you've tried to remove it. :wink:

Please run a scan with aswmbr next:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 03 May 2011 - 02:08 PM

Sure thing :)

- Attached -

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 03 May 2011 - 02:14 PM

Hi,

ok, that looks promising. Please run the following fix:
Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 08 May 2011 - 12:30 PM

Sorry! I thought you had not replied all these days, my suscription didnt work :(

OK so at first my computer did not want to load. Finally got it started. But after "fix" it says

Disk 0 fixing MBR ...
Disk 0 MBR restored successfully
Verifying disinfection


... And there my computer has frozen, it's not giving me that last line you said....

#8 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 08 May 2011 - 11:08 PM

OK So... I restarted manually anyways and re-did the scan. i see no more red (yay!) but here is the attached log anyways...

Does it seem to be okay? Do I need to uninstall some of my programs now or something? Or do anything else? Or like is there other stuff you'd recommend now?

I seem to be getting excited but i really hope my computer is fixed... tdskiller finally ran and it didnt find anything!

(gah *gushes* you're the coolest btw)

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 11 May 2011 - 10:59 AM

Hi,

I'm happy to hear things worked! :)

Things should be sorted now, but I would like to check the PC for leftovers. Please rerun OTL.exe and post the OTL.txt in your next reply.

Please also run a scan with Eset:
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 11 May 2011 - 02:38 PM

Ok here they are... not sure if it's looking good though.

OTL.txt attached

ESETScan.txt - this was what they gave me the option to save on the final scan

log.txt - attached this was the ESET log file...

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 11 May 2011 - 03:19 PM

Hi,
the escan log is not so bad. They are all located in the temporary folder, so you can remove them by emptying temporary folders and the recycle bin:
Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 13 May 2011 - 09:47 AM

Well most of them were in Temp so I cleaned that out. Then I got rid of Registry Booster (is that a virus?) and it seemed to get most away. These two are left though - attached log.

Attached Files

  • Attached File  log.txt   6.62KB   1 downloads


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 14 May 2011 - 03:37 PM

Hi,

registry booster is a registry cleaner. I don't advise to use registry cleaners on principle. Registry Booster however taks it over the top even for a registry cleaner by showing excessiv amounts of errors.

The files found by Eset are leftovers from registry booster, they're nothingto worry about.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 25 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
  • Click on Help and select Check for Updates.
  • A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
  • Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
  • In the window that opens click Install.
  • Once the update is done click Close.
Your Adobe Reader is now up to date!

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Sami.ha

Sami.ha
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 21 May 2011 - 02:06 PM

Gotcha =) Ok myrti thank you so much for all your help, I will hopefully do all of the above steps ASAP...

Anything else I should do? Should I un-install most of the virus protectors/things i downloaded before? What would you recommend I keep on principle?

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:24 PM

Posted 21 May 2011 - 05:19 PM

Heya,

yes, that would be my final advise. Remove the tools we used:

Please do the following to clean up your PC:
  • Delete the tools used during the disinfection:
  • Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      Posted Image
    • Download OTC from the following mirror and save it to your desktop:
    • Double click on Posted Image
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  • If OTC faild to remove all programs from your Desktop, please delete the rest manually.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users