Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email was hacked by Trogan or Spyware


  • This topic is locked This topic is locked
15 replies to this topic

#1 rgn2000

rgn2000

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 16 May 2011 - 03:40 PM

On Friday, my AOL email was hacked and a bunch of spam emails were sent out of it. Then later one of my gmail accounts had the same issue, but only 1 email was sent. I changed the passwords from another computer and will not access them on this computer until I get this resolved. I am assuming it is some kind of spyware, but do not know for sure. Here are my reports:

DDS.txt log: (Attach.txt and ark.txt attached below)


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 13:47:29.37 on Mon 05/16/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.200 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
C:\PROGRA~1\IBM\CLIENT~1\cwblmsrv.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyTether] "c:\program files\mobile stream\easytether\easytthr.exe"
uRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [Client Access Help Update] "c:\program files\ibm\client access\cwbinhlp.exe"
mRun: [Client Access Check Version] "c:\program files\ibm\client access\cwbckver.exe" LOGIN
mRun: [Client Access Express Welcome] "c:\program files\ibm\client access\cwbwlwiz.exe"
mRun: [\\new5\EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaba.exe /p30 "\\new5\EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KASHNTWSLS97633079044361] "c:\program files\kaseya\agent\KaUsrTsk.exe"
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\windows\system32\RSLSP.dll
DPF: {172826E5-EC1B-402E-9782-02E3D087E008} - hxxps://skyfex.com/download/sf_skyfex.com-download_instmodule.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://24.187.204.218:2020/inc/kaxRemote.dll
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.1.0.50
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist express customer\209\g2ax_winlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\mo2ofwud.default\
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
============= SERVICES / DRIVERS ===============
.
R2 KANTWSLS97633079044361;Kaseya Agent;c:\program files\kaseya\agent\AgentMon.exe [2010-2-4 745472]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2009-11-6 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [2010-10-14 17232]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2010-2-4 16384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2010-3-24 25856]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-7-1 69692]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\citrix\gotoassist express customer\209\g2ax_service.exe [2010-2-4 161144]
.
=============== File Associations ===============
.
txtfile=c:\docume~1\owner\mydocu~1\paints~1\PSP.EXE %1
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 13:48:04.29 ===============

I forgot to mention that I did run Malwarebytes after the issue and some items were removed, but whenever I fun Malwarebytes it finds around 90 items each and every time. They never get removed.

Thanks for any help

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 17 May 2011 - 04:34 PM.


BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:41 AM

Posted 27 May 2011 - 08:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 31 May 2011 - 10:42 AM

I was on vacation and I just got back. I will get on this ASAP. My computer was not used since I posted. Can the above files and logs be used still?

Thanks

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 01 June 2011 - 08:47 AM

Hi rgn2000,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.




Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    volsnap.sys
    /md5stop
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    C:\Documents and Settings\mhumphrey\Desktop\*.* /s

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.TDSSKiller log
2.OTListIt.txt and Extra.txt Thanks

#5 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 01 June 2011 - 03:33 PM

The TDSKiller did not find anything and here is the log


2011/06/01 16:19:00.0863 4544 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/01 16:19:01.0332 4544 ================================================================================
2011/06/01 16:19:01.0332 4544 SystemInfo:
2011/06/01 16:19:01.0332 4544
2011/06/01 16:19:01.0332 4544 OS Version: 5.1.2600 ServicePack: 2.0
2011/06/01 16:19:01.0332 4544 Product type: Workstation
2011/06/01 16:19:01.0332 4544 ComputerName: NEW8
2011/06/01 16:19:01.0332 4544 UserName: Owner
2011/06/01 16:19:01.0332 4544 Windows directory: C:\WINDOWS
2011/06/01 16:19:01.0332 4544 System windows directory: C:\WINDOWS
2011/06/01 16:19:01.0332 4544 Processor architecture: Intel x86
2011/06/01 16:19:01.0332 4544 Number of processors: 1
2011/06/01 16:19:01.0332 4544 Page size: 0x1000
2011/06/01 16:19:01.0332 4544 Boot type: Normal boot
2011/06/01 16:19:01.0332 4544 ================================================================================
2011/06/01 16:19:01.0832 4544 Initialize success
2011/06/01 16:19:14.0504 6000 ================================================================================
2011/06/01 16:19:14.0504 6000 Scan started
2011/06/01 16:19:14.0504 6000 Mode: Manual;
2011/06/01 16:19:14.0504 6000 ================================================================================
2011/06/01 16:19:15.0535 6000 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/06/01 16:19:15.0551 6000 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/01 16:19:15.0566 6000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/01 16:19:15.0582 6000 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/06/01 16:19:15.0660 6000 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/06/01 16:19:15.0722 6000 AFD (944ca435bfcfc82cc1ed9e3a7d731aa9) C:\WINDOWS\System32\drivers\afd.sys
2011/06/01 16:19:15.0769 6000 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/06/01 16:19:15.0785 6000 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/06/01 16:19:15.0801 6000 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/06/01 16:19:15.0816 6000 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/06/01 16:19:15.0847 6000 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/06/01 16:19:15.0879 6000 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/06/01 16:19:15.0894 6000 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/06/01 16:19:15.0910 6000 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/06/01 16:19:15.0926 6000 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/06/01 16:19:15.0972 6000 androidusb (0a43169e115b5e9346a4ba1effcb04cb) C:\WINDOWS\system32\Drivers\motoandroid.sys
2011/06/01 16:19:16.0035 6000 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/06/01 16:19:16.0051 6000 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/06/01 16:19:16.0082 6000 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/06/01 16:19:16.0129 6000 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/06/01 16:19:16.0207 6000 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys
2011/06/01 16:19:16.0254 6000 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/01 16:19:16.0301 6000 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/01 16:19:16.0347 6000 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/01 16:19:16.0379 6000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/01 16:19:16.0457 6000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/01 16:19:16.0472 6000 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/06/01 16:19:16.0504 6000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/01 16:19:16.0519 6000 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/06/01 16:19:16.0566 6000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/01 16:19:16.0597 6000 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/01 16:19:16.0644 6000 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/01 16:19:16.0722 6000 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/01 16:19:16.0738 6000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/06/01 16:19:16.0754 6000 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/01 16:19:16.0785 6000 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/06/01 16:19:16.0832 6000 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/06/01 16:19:16.0847 6000 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/06/01 16:19:16.0879 6000 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/01 16:19:16.0926 6000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/01 16:19:16.0972 6000 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/01 16:19:17.0004 6000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/01 16:19:17.0066 6000 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/01 16:19:17.0097 6000 DNE (65fa8bc40664aec99348f98f0b4c2f7c) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/06/01 16:19:17.0113 6000 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/06/01 16:19:17.0144 6000 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/01 16:19:17.0207 6000 easytether (df197feb19746f8a6a310d32655814a0) C:\WINDOWS\system32\DRIVERS\easytthr.sys
2011/06/01 16:19:17.0238 6000 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys
2011/06/01 16:19:17.0269 6000 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/01 16:19:17.0301 6000 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/01 16:19:17.0316 6000 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/01 16:19:17.0332 6000 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/01 16:19:17.0363 6000 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/01 16:19:17.0379 6000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/01 16:19:17.0410 6000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/01 16:19:17.0441 6000 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/01 16:19:17.0504 6000 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/06/01 16:19:17.0551 6000 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/01 16:19:17.0582 6000 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/06/01 16:19:17.0644 6000 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/06/01 16:19:17.0660 6000 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/06/01 16:19:17.0722 6000 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/06/01 16:19:17.0801 6000 HSFHWBS2 (f3e718604c5a8a28003280d861d96c19) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/06/01 16:19:17.0847 6000 HSF_DPV (4290713b7c3289ef87ee5ca474b21221) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/06/01 16:19:17.0926 6000 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/01 16:19:18.0004 6000 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/06/01 16:19:18.0035 6000 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/06/01 16:19:18.0097 6000 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/01 16:19:18.0129 6000 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/01 16:19:18.0160 6000 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/06/01 16:19:18.0394 6000 IntcAzAudAddService (574c9b2f9406d28f8f7e5c7b46b470e6) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/06/01 16:19:18.0535 6000 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/01 16:19:18.0582 6000 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/01 16:19:18.0597 6000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/01 16:19:18.0613 6000 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/01 16:19:18.0676 6000 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/01 16:19:18.0691 6000 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/01 16:19:18.0722 6000 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/01 16:19:18.0754 6000 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/06/01 16:19:18.0785 6000 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/01 16:19:18.0832 6000 KAPFA (14fa46806ddc1a2db571891324c68688) C:\WINDOWS\system32\drivers\KAPFA.SYS
2011/06/01 16:19:18.0863 6000 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/01 16:19:18.0926 6000 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/01 16:19:18.0988 6000 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/01 16:19:19.0019 6000 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/01 16:19:19.0113 6000 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/06/01 16:19:19.0144 6000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/01 16:19:19.0176 6000 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/01 16:19:19.0222 6000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/01 16:19:19.0254 6000 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/01 16:19:19.0269 6000 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/01 16:19:19.0285 6000 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/06/01 16:19:19.0426 6000 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/01 16:19:19.0472 6000 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/01 16:19:19.0504 6000 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/01 16:19:19.0582 6000 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/01 16:19:19.0629 6000 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/01 16:19:19.0644 6000 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/01 16:19:19.0676 6000 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/01 16:19:19.0691 6000 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/01 16:19:19.0722 6000 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/01 16:19:19.0738 6000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/01 16:19:19.0769 6000 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/01 16:19:19.0785 6000 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/01 16:19:19.0801 6000 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/01 16:19:19.0816 6000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/01 16:19:19.0847 6000 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/01 16:19:19.0910 6000 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/01 16:19:19.0972 6000 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
2011/06/01 16:19:19.0988 6000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/01 16:19:20.0066 6000 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/01 16:19:20.0113 6000 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/06/01 16:19:20.0160 6000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/01 16:19:20.0332 6000 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/06/01 16:19:20.0519 6000 NVENETFD (0ae6258709d58fb53638e8d28f4480d4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/06/01 16:19:20.0597 6000 nvgts (fa740e97a0fe36e368c2299d9f3c01c1) C:\WINDOWS\system32\DRIVERS\NVGTS.SYS
2011/06/01 16:19:20.0660 6000 nvnetbus (1296b33c223a58485d5eaa779752216a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/06/01 16:19:20.0722 6000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/01 16:19:20.0738 6000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/01 16:19:20.0754 6000 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/01 16:19:20.0816 6000 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/01 16:19:20.0832 6000 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/01 16:19:20.0847 6000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/01 16:19:20.0863 6000 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/01 16:19:20.0894 6000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/01 16:19:20.0926 6000 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/06/01 16:19:21.0004 6000 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/06/01 16:19:21.0019 6000 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/06/01 16:19:21.0097 6000 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/06/01 16:19:21.0129 6000 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/01 16:19:21.0144 6000 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/06/01 16:19:21.0176 6000 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/01 16:19:21.0191 6000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/01 16:19:21.0238 6000 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/01 16:19:21.0254 6000 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/06/01 16:19:21.0269 6000 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/06/01 16:19:21.0316 6000 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/06/01 16:19:21.0332 6000 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/06/01 16:19:21.0347 6000 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/06/01 16:19:21.0379 6000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/01 16:19:21.0426 6000 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/06/01 16:19:21.0472 6000 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/01 16:19:21.0488 6000 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/01 16:19:21.0504 6000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/01 16:19:21.0566 6000 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/01 16:19:21.0597 6000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/01 16:19:21.0629 6000 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/01 16:19:21.0660 6000 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/01 16:19:21.0722 6000 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/01 16:19:21.0785 6000 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/06/01 16:19:21.0847 6000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/01 16:19:21.0894 6000 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/01 16:19:21.0926 6000 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/01 16:19:21.0957 6000 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/01 16:19:22.0035 6000 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/06/01 16:19:22.0066 6000 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/06/01 16:19:22.0129 6000 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/01 16:19:22.0160 6000 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/01 16:19:22.0191 6000 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/01 16:19:22.0254 6000 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/01 16:19:22.0301 6000 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/01 16:19:22.0332 6000 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/06/01 16:19:22.0363 6000 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/06/01 16:19:22.0410 6000 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/06/01 16:19:22.0426 6000 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/06/01 16:19:22.0488 6000 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/01 16:19:22.0597 6000 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/01 16:19:22.0660 6000 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/01 16:19:22.0676 6000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/01 16:19:22.0722 6000 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/01 16:19:22.0754 6000 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/06/01 16:19:22.0816 6000 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/01 16:19:22.0832 6000 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/06/01 16:19:22.0894 6000 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/01 16:19:22.0972 6000 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/01 16:19:23.0004 6000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/01 16:19:23.0019 6000 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/01 16:19:23.0082 6000 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/06/01 16:19:23.0144 6000 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/01 16:19:23.0207 6000 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/01 16:19:23.0269 6000 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/01 16:19:23.0301 6000 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/01 16:19:23.0332 6000 usb_rndisx (ae4df3b7d1db9373b08db4ed224e26b6) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/06/01 16:19:23.0363 6000 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/06/01 16:19:23.0394 6000 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/06/01 16:19:23.0410 6000 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/06/01 16:19:23.0426 6000 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/01 16:19:23.0472 6000 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/01 16:19:23.0535 6000 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/06/01 16:19:23.0629 6000 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/01 16:19:23.0707 6000 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/01 16:19:23.0785 6000 winachsf (cb2dc26de2c815fc2309566f92d22ed4) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/06/01 16:19:23.0894 6000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/06/01 16:19:23.0972 6000 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/01 16:19:23.0988 6000 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/01 16:19:24.0051 6000 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0
2011/06/01 16:19:24.0066 6000 ================================================================================
2011/06/01 16:19:24.0066 6000 Scan finished
2011/06/01 16:19:24.0066 6000 ================================================================================
2011/06/01 16:19:24.0082 5112 Detected object count: 0
2011/06/01 16:19:24.0082 5112 Actual detected object count: 0
2011/06/01 16:19:33.0566 5456 Deinitialize success


The OTL log is as follows:


OTL logfile created on: 6/1/2011 4:20:54 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

895.48 Mb Total Physical Memory | 411.02 Mb Available Physical Memory | 45.90% Memory free
2.12 Gb Paging File | 1.46 Gb Available in Paging File | 68.81% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.95 Gb Total Space | 89.95 Gb Free Space | 62.49% Space Free | Partition Type: NTFS
Drive D: | 5.08 Gb Total Space | 2.65 Gb Free Space | 52.20% Space Free | Partition Type: FAT32

Computer Name: NEW8 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/01 16:17:20 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2011/05/20 01:54:14 | 001,010,232 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/04/25 10:15:18 | 000,140,952 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.53\GoogleCrashHandler.exe
PRC - [2011/04/08 08:50:02 | 000,542,264 | ---- | M] (Google) -- C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
PRC - [2011/03/21 14:56:16 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/09/16 17:29:54 | 000,745,472 | ---- | M] (Kaseya International Limited) -- C:\Program Files\Kaseya\Agent\AgentMon.exe
PRC - [2010/09/15 20:19:10 | 000,323,584 | ---- | M] (Kaseya International Limited) -- C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
PRC - [2010/08/29 20:32:06 | 000,047,432 | ---- | M] (Mobile Stream) -- C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
PRC - [2010/07/08 09:28:56 | 000,815,704 | ---- | M] (GlavSoft LLC.) -- C:\Program Files\TightVNC\tvnserver.exe
PRC - [2010/02/02 17:31:56 | 000,279,296 | ---- | M] (Motorola) -- C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
PRC - [2010/01/27 11:37:22 | 000,091,392 | ---- | M] () -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
PRC - [2008/04/25 13:48:13 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2007/11/09 23:51:19 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/05/12 01:32:48 | 000,086,016 | ---- | M] (High Criteria inc.) -- C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
PRC - [2004/08/04 15:00:00 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ntvdm.exe
PRC - [2004/04/21 12:16:02 | 001,434,848 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/01/10 17:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2000/11/28 05:10:00 | 000,691,712 | ---- | M] () -- C:\Program Files\IBM\Client Access\Emulator\pcsws.exe
PRC - [2000/11/28 05:10:00 | 000,061,440 | ---- | M] (IBM Corporation) -- C:\Program Files\IBM\Client Access\cwblmsrv.exe
PRC - [2000/11/28 05:10:00 | 000,016,384 | ---- | M] () -- C:\Program Files\IBM\Client Access\Emulator\pcscm.exe


========== Modules (SafeList) ==========

MOD - [2011/06/01 16:17:20 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/09/16 17:29:54 | 000,745,472 | ---- | M] (Kaseya International Limited) [Auto | Running] -- C:\Program Files\Kaseya\Agent\AgentMon.exe -- (KANTWSLS97633079044361)
SRV - [2010/07/08 09:28:56 | 000,815,704 | ---- | M] (GlavSoft LLC.) [Auto | Running] -- C:\Program Files\TightVNC\tvnserver.exe -- (tvnserver)
SRV - [2010/02/04 18:01:10 | 000,161,144 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe -- (GoToAssist Express Customer)
SRV - [2010/01/27 11:37:22 | 000,091,392 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/11/09 23:51:19 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)
SRV - [2007/08/29 17:58:47 | 000,181,800 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2004/04/21 12:16:02 | 001,434,848 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)
SRV - [2003/01/10 17:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2000/11/28 05:10:00 | 000,053,248 | ---- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\cwbrxd.exe -- (Cwbrxd)


========== Driver Services (SafeList) ==========

DRV - [2010/08/29 18:18:06 | 000,017,232 | ---- | M] (Mobile Stream) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\easytthr.sys -- (easytether)
DRV - [2010/08/12 11:41:32 | 000,016,384 | ---- | M] (Kaseya) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KaPFA.sys -- (KAPFA)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/07/10 13:01:06 | 000,025,856 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motoandroid.sys -- (androidusb)
DRV - [2008/04/25 13:48:16 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2007/10/02 05:32:14 | 004,613,120 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/08/08 23:11:00 | 000,102,400 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\NVGTS.SYS -- (nvgts)
DRV - [2006/11/27 05:33:54 | 000,019,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/11/27 05:33:50 | 000,058,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/07/18 18:16:08 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/07/18 18:15:18 | 000,256,128 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2006/07/18 18:15:10 | 000,728,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/07/17 08:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/02/27 15:08:04 | 000,128,380 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2001/08/17 22:10:58 | 000,069,692 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\el575ND5.sys -- (el575nd5)
DRV - [2001/08/17 17:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:3694

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=W3644
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:3694



IE - HKU\S-1-5-21-3472327337-80713695-766477851-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3472327337-80713695-766477851-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3472327337-80713695-766477851-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/04 10:14:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/21 09:49:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/21 09:49:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/04 16:16:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/09 17:32:30 | 000,000,000 | ---D | M]

[2010/10/13 13:12:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/05/09 11:57:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mo2ofwud.default\extensions
[2011/02/04 16:18:36 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mo2ofwud.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/05/09 11:57:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/09 17:32:31 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/28 11:33:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/03/21 09:49:16 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
[2011/03/21 09:49:17 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
[2010/06/30 16:01:11 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/29 13:24:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [\\new5\EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Adobe ARM] File not found
O4 - HKLM..\Run: [Client Access Check Version] C:\Program Files\IBM\Client Access\cwbckver.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Express Welcome] C:\Program Files\IBM\Client Access\cwbwlwiz.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\IBM\Client Access\cwbinhlp.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Service] C:\Program Files\IBM\Client Access\cwbsvstr.exe (IBM Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [KASHNTWSLS97633079044361] C:\Program Files\Kaseya\Agent\KaUsrTsk.exe (Kaseya International Limited)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe (High Criteria inc.)
O4 - HKLM..\Run: [tvncontrol] C:\Program Files\TightVNC\tvnserver.exe (GlavSoft LLC.)
O4 - HKU\S-1-5-21-3472327337-80713695-766477851-1003..\Run: [Corel Photo Downloader] File not found
O4 - HKU\S-1-5-21-3472327337-80713695-766477851-1003..\Run: [EasyTether] C:\Program Files\Mobile Stream\EasyTether\easytthr.exe (Mobile Stream)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\RSLSP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\RSLSP.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\RSLSP.dll ()
O15 - HKU\S-1-5-21-3472327337-80713695-766477851-1003\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {172826E5-EC1B-402E-9782-02E3D087E008} https://skyfex.com/download/sf_skyfex.com-download_instmodule.exe (SkyFex Remote Desktop (Internet Explorer Add-on))
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DDRevision Class)
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} http://24.187.204.218:2020/inc/kaxRemote.dll (kasRmtHlp Class)
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} http://betaimg.sling.com/sli/sling_player_ax/WebSlingPlayer.cab?1.1.0.50 (WebSlingPlayer)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.92.226.11 24.92.226.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist Express Customer: DllName - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/06 20:38:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/08/08 17:24:26 | 000,000,045 | -HS- | M] () - D:\autorun.inf.aug.8 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/19 14:18:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2011/05/17 15:20:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2011/05/17 15:20:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager
[2011/05/17 15:20:06 | 000,000,000 | ---D | C] -- C:\Program Files\Security Task Manager
[2011/05/17 13:04:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\TightVNC
[2011/05/17 13:01:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\TightVNC
[2011/05/17 13:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TightVNC
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/01 16:20:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3472327337-80713695-766477851-1003UA.job
[2011/06/01 10:20:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3472327337-80713695-766477851-1003Core.job
[2011/05/31 16:15:11 | 000,000,295 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Fancy Price Sheets.lnk
[2011/05/27 02:20:54 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2011/05/27 02:20:54 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/19 14:21:01 | 000,001,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2011/05/19 14:21:01 | 000,001,447 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DivX Movies.lnk
[2011/05/19 14:19:43 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Excel 2007.lnk
[2011/05/19 14:18:52 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/19 14:18:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/18 11:10:56 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2007.lnk
[2011/05/17 11:46:40 | 000,001,130 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2011/05/16 13:46:40 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/05/16 08:10:24 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2007.lnk
[2011/05/10 14:59:06 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Jasc Paint Shop Pro 8.lnk
[2011/05/10 14:07:33 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/10 09:34:48 | 000,000,676 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Alt.Binz.lnk
[2011/05/06 08:03:46 | 000,001,394 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Calendar.lnk
[2011/05/06 08:03:45 | 000,001,845 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/17 11:46:04 | 000,001,130 | -H-- | C] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp
[2011/05/16 13:46:40 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/11/24 20:26:22 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\67698D0DC3.sys
[2010/11/24 20:26:21 | 000,005,642 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/11/24 14:14:06 | 001,085,352 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/09/02 13:10:21 | 000,000,120 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.ini
[2010/09/02 09:27:03 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\RSLSP.dll
[2010/08/04 10:13:59 | 000,023,085 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2010/07/06 15:56:13 | 000,010,376 | ---- | C] () -- C:\WINDOWS\hpwscr10.dat
[2010/07/06 15:56:13 | 000,001,042 | ---- | C] () -- C:\WINDOWS\hpwmdl10.dat
[2010/06/24 13:18:01 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/16 16:36:16 | 000,135,702 | ---- | C] () -- C:\WINDOWS\hpwins10.dat.temp
[2010/06/16 16:36:16 | 000,001,042 | ---- | C] () -- C:\WINDOWS\hpwmdl10.dat.temp
[2010/06/09 14:37:56 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\wjwab.dll
[2010/06/02 03:07:59 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\gklupx.dat
[2010/01/06 12:30:30 | 012,312,576 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.exe
[2010/01/06 12:30:30 | 000,038,705 | ---- | C] () -- C:\WINDOWS\System32\yamdi.exe
[2009/11/04 15:54:54 | 000,012,998 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).CAL
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2009/10/19 14:07:07 | 000,038,477 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).ADR
[2009/06/18 13:00:26 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009/04/07 10:32:49 | 000,136,298 | ---- | C] () -- C:\WINDOWS\hpwins10.dat
[2009/04/02 13:11:26 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/07 17:17:14 | 000,139,686 | ---- | C] () -- C:\WINDOWS\hpoins15.dat
[2008/11/07 17:17:14 | 000,001,039 | ---- | C] () -- C:\WINDOWS\hpomdl15.dat
[2008/08/07 14:46:13 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2008/08/07 14:45:48 | 000,000,049 | ---- | C] () -- C:\WINDOWS\EPSONC88.ini
[2008/05/09 09:09:55 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.sys
[2008/05/09 09:09:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\qxdaedrs.dll
[2008/05/09 09:09:22 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\cwbwiz.dll
[2008/05/09 09:09:21 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\cwbrw.dll
[2008/04/30 09:27:13 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/25 16:07:43 | 000,002,328 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2008/04/25 13:49:24 | 000,000,715 | ---- | C] () -- C:\WINDOWS\aolback.exe.lnk
[2008/04/25 13:40:28 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/04/23 14:33:25 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2008/04/23 11:58:47 | 000,000,096 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/04/23 11:58:22 | 000,157,184 | ---- | C] () -- C:\WINDOWS\UNCEN32.EXE
[2008/04/23 11:58:22 | 000,000,234 | ---- | C] () -- C:\WINDOWS\supertcp.ini
[2008/04/23 11:58:09 | 000,000,438 | ---- | C] () -- C:\WINDOWS\marathon.ini
[2008/04/23 11:55:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/09 23:59:20 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2007/11/09 19:38:37 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/11/09 19:38:35 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/11/09 19:38:35 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/11/09 19:38:33 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/11/09 19:38:32 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/11/09 19:38:30 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/11/09 19:38:30 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/11/09 19:38:29 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/11/09 19:38:23 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/11/09 19:38:23 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2007/11/09 19:38:21 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/08/06 12:07:30 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/07/31 01:59:36 | 000,000,338 | ---- | C] () -- C:\WINDOWS\scrub2k.ini
[2006/07/31 01:59:34 | 000,065,536 | ---- | C] () -- C:\WINDOWS\scrub2k.exe
[2006/07/01 02:01:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/07/01 01:30:45 | 000,352,256 | ---- | C] () -- C:\WINDOWS\System32\HotlineClient.exe
[2006/05/06 20:40:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/05/06 20:36:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/05/06 20:24:27 | 000,001,364 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/05/06 20:24:27 | 000,000,456 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2006/05/06 20:24:14 | 000,441,646 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/05/06 20:24:14 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/05/06 20:24:14 | 000,065,984 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/05/06 20:24:14 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/05/06 20:24:14 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/05/06 20:24:13 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/05/06 20:24:13 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/05/06 20:24:13 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/05/06 20:24:13 | 000,005,151 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/05/06 20:24:13 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2006/05/06 20:24:08 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/05/06 20:24:07 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2006/05/06 13:31:05 | 000,004,395 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/05/06 13:30:06 | 000,282,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2010/06/10 16:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/30 12:16:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2011/04/03 15:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/08/12 11:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MediaMonkey
[2010/01/13 16:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetZero
[2011/05/17 15:28:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/07/23 11:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2011/02/01 14:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/04/25 13:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/10 00:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2008/08/19 17:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2007/11/10 00:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2007/11/20 18:50:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Spare Backup
[2011/05/19 14:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
[2011/05/17 13:01:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\TightVNC
[2009/12/30 12:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ashampoo
[2010/07/23 14:42:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BitZipper
[2010/01/25 16:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.motionbox.MotionboxExpressUploader.6D01B31508AA1E9EAB7D1A1FC910295582116A87.1
[2011/03/21 09:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DDMSettings
[2011/05/13 11:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FileZilla
[2010/06/10 17:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FreeFixer
[2010/08/11 16:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mp3tag
[2007/11/10 00:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/07/23 11:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sling Media
[2008/06/19 14:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Spare Backup
[2008/04/25 16:07:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/05/17 13:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TightVNC
[2011/02/18 14:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\vbssol
[2010/03/12 14:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VBS_Solutions_Inc

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 15:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
[2004/08/04 15:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2004/08/04 15:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 15:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2004/08/04 15:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 14:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\volsnap.sys
[2004/08/04 15:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\system32\drivers\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 15:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2004/08/04 15:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
[2010/03/29 18:28:18 | 000,056,320 | ---- | M] (Malwarebytes Corporation) MD5=193F2FE0DBA293F70B0A182C103A43F1 -- C:\Program Files\Malwarebytes' Anti-Malware\mbam-installer\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe

< %ALLUSERSPROFILE%\Application Data\*. >
[2010/03/11 13:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2010/06/10 16:31:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/06/30 07:54:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/06/30 07:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2009/02/01 12:14:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2010/11/24 14:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/12/30 12:16:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2011/04/03 15:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/01/08 10:29:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2011/05/19 14:21:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DivX
[2008/04/23 11:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/04/07 10:36:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2010/07/06 16:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HP
[2008/11/07 17:22:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
[2010/05/27 12:45:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/12 11:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MediaMonkey
[2010/07/21 15:55:27 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2011/01/18 16:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2008/06/09 10:17:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2010/01/13 16:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetZero
[2006/06/30 22:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2008/04/25 13:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2011/05/17 15:28:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2009/07/23 11:48:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2010/06/30 16:01:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sun
[2008/05/15 10:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2011/02/01 14:28:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/04/25 13:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/10 00:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2007/11/09 23:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/08/19 17:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/06/10 12:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2006/04/06 11:49:44 | 000,025,088 | ---- | M] (America Online, Inc.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\eestart.exe
[2007/06/08 17:01:46 | 000,054,832 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\ocpgc.exe
[2007/07/23 15:58:40 | 002,223,544 | ---- | M] (AOL LLC) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\ocpinst.exe
[2006/04/06 11:49:46 | 000,033,896 | ---- | M] (America Online, Inc.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\postproc.exe
[2007/05/09 11:30:26 | 000,098,304 | ---- | M] (America Online, Inc.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\regwrite.exe
[2006/04/06 11:49:46 | 000,156,264 | ---- | M] (America Online, Inc.) -- C:\Documents and Settings\All Users\Application Data\AOL Downloads\TOD4071\setup.exe
[2008/04/25 13:54:32 | 000,010,752 | ---- | M] (America Online, Inc.) -- C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\OptScan.exe
[2010/10/13 15:38:59 | 000,056,969 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
[2011/03/21 09:48:30 | 000,057,591 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
[2011/03/21 09:48:33 | 000,054,128 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
[2011/03/21 09:48:37 | 000,054,153 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
[2010/10/13 15:39:25 | 000,056,458 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
[2011/05/19 14:21:01 | 000,064,957 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
[2011/05/19 14:20:57 | 000,062,879 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
[2010/10/13 15:39:26 | 000,057,532 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
[2010/10/13 15:39:28 | 000,054,166 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
[2011/05/19 14:20:58 | 000,057,037 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
[2010/10/13 15:39:29 | 000,054,101 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
[2010/10/13 15:39:12 | 000,052,963 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
[2011/05/19 14:20:57 | 000,063,228 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\OVSHelper\Uninstaller.exe
[2011/03/21 09:49:11 | 000,057,736 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\Player\Uninstaller.exe
[2010/10/13 15:39:05 | 000,054,073 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
[2010/10/13 15:42:43 | 000,144,696 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
[2011/05/19 14:19:37 | 000,915,808 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
[2010/10/13 15:39:42 | 000,054,644 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
[2010/10/13 15:40:07 | 000,084,038 | ---- | M] (DivX, Inc.) -- C:\Documents and Settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
[2011/05/19 14:21:00 | 000,061,792 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\All Users\Application Data\DivX\Update\Uninstaller.exe
[2011/03/21 09:49:21 | 000,066,536 | ---- | M] (DivX, LLC) -- C:\Documents and Settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
[2011/05/15 14:43:02 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
[2009/06/12 11:41:32 | 000,306,440 | ---- | M] (Sling Media Inc.) -- C:\Documents and Settings\All Users\Application Data\Sling Media\WebSlingPlayer\{C255ABB4-441B-4F53-9469-445B465CDA8B}\WBSPIESetup.exe
[2007/09/11 19:29:28 | 003,709,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\WildTangent\oem-eula.exe

< %APPDATA%\*. >
[2010/01/25 16:47:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/12/30 12:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ashampoo
[2010/07/23 14:42:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BitZipper
[2010/01/25 16:48:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.motionbox.MotionboxExpressUploader.6D01B31508AA1E9EAB7D1A1FC910295582116A87.1
[2011/02/01 14:45:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Corel
[2009/01/08 10:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CyberLink
[2011/03/21 09:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DDMSettings
[2010/10/13 15:44:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DivX
[2011/05/13 11:58:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FileZilla
[2010/06/10 17:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FreeFixer
[2010/05/03 14:00:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Google
[2008/04/26 12:28:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Help
[2010/07/06 16:07:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HP
[2010/08/04 10:22:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HPAppData
[2010/08/10 19:24:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HpUpdate
[2006/05/06 20:42:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2009/05/26 14:54:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Jasc Software Inc
[2008/04/24 11:48:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2010/05/27 13:49:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2009/12/31 13:13:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2010/08/04 10:17:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\mIRC
[2008/06/09 10:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Motive
[2009/06/18 13:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Move Networks
[2010/10/13 13:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/08/11 16:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mp3tag
[2007/11/10 00:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/07/23 11:48:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sling Media
[2008/06/19 14:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Spare Backup
[2007/11/10 00:06:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Sun
[2007/11/10 00:13:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Symantec
[2009/01/14 18:15:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Syntrillium
[2008/04/25 16:07:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/05/17 13:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TightVNC
[2011/02/18 14:15:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\vbssol
[2010/03/12 14:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VBS_Solutions_Inc
[2010/06/10 12:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2009/10/12 08:25:46 | 000,303,104 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Google\O3D\reporter.exe
[2007/11/09 23:59:27 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
[2007/11/09 23:59:28 | 000,045,056 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
[2007/11/09 23:59:28 | 000,045,056 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
[2007/11/09 23:59:28 | 000,049,152 | R--- | M] (InstallShield Software Corp.) -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
[2010/06/16 15:57:32 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
[2009/10/19 16:37:51 | 000,149,358 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{DEE43217-9B84-4204-AE98-27BAA14EFF5C}\_6FEFF9B68218417F98F549.exe
[2009/10/19 16:37:52 | 000,149,358 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{DEE43217-9B84-4204-AE98-27BAA14EFF5C}\_7B0954E2BB75AD5AD82540.exe
[2007/11/10 00:27:20 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe
[2009/03/09 13:29:40 | 000,097,144 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
[2009/06/17 16:33:46 | 000,034,062 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
[2010/07/26 11:29:49 | 000,053,248 | ---- | M] (JDesktop Integration Components (JDIC) Project) -- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4a158b26-120d83fb-n\IeEmbed.exe
[2010/07/26 11:29:49 | 000,188,416 | ---- | M] (JDesktop Integration Components (JDIC) Project) -- C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\38\4a158b26-120d83fb-n\MozEmbed.exe

< %SYSTEMDRIVE%\*.exe >
[2010/06/10 12:46:02 | 006,216,032 | ---- | M] (Microsoft Corporation) -- C:\windowsupdateagent30-x86.exe
[2010/06/10 12:48:28 | 001,266,056 | ---- | M] (Microsoft Corporation) -- C:\WindowsXP-KB927891.exe

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/11/21 00:06:36 | 001,194,848 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\FM20.DLL
[2004/08/04 15:00:00 | 000,068,768 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mmsystem.dll
[2004/08/04 15:00:00 | 000,005,120 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< C:\program files\common files\data\* /s >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/05/06 13:29:39 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/05/06 13:29:39 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/05/06 13:29:39 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

< C:\Documents and Settings\mhumphrey\Desktop\*.* /s >

< End of report >

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 01 June 2011 - 04:28 PM

Hi rgn2000,



but whenever I fun Malwarebytes it finds around 90 items each and every time. They never get removed.

Please rerun MBAM again. Update the virus definitions before proceeding and post the log in your next reply.

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:3694

Did you place the Proxy Server by youself? Advise me in your next reply.


Let me know what the current symptoms you're still experiencing now.

#7 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 03 June 2011 - 03:14 PM

I don't know anything about the proxy. I know I connect to a VPN, but I don't recognize the IP.

Malwarebytes found the usual 89 items. They always appear right at the end of the scan. They supposed clean up, but they are always there.

Here is the log:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6766

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

6/3/2011 4:12:23 PM
mbam-log-2011-06-03 (16-12-23).txt

Scan type: Quick scan
Objects scanned: 153520
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 89

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\antav\av.exe (Worm.Flooder) -> Delete on reboot.
c:\documents and settings\all users\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\localservice\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\owner\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\windows\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\administrator\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\avi\av.exe (Backdoor.Bifrose) -> Delete on reboot.

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 03 June 2011 - 04:37 PM

Hi rgn2000,




Please download the fix.reg (attached file) on your desktop. Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes.



Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Folder::
C:\Windows\System32\antav
C:\Windows\System32\HideFyles
C:\Windows\System32\HidesFileLogs
C:\Windows\System32\SITE

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note:If you can't run Combofix, please delete that copy from your desktop and redownload it again. Please rename it to bdean.exe before downloading it to your desktop. Thanks.




Step2

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    ave.exe
    av.exe
    :filefind
    *ave.exe*
    *av.exe*
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



In your next reply, please post back:


1.ComboFix log
2.SystemLook log

Let me know if you have any remaining issues on your pc.

Attached Files

  • Attached File  fix.reg   319bytes   1 downloads

Edited by sundavis, 03 June 2011 - 05:01 PM.


#9 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 06 June 2011 - 03:49 PM

First off, I just figured out about that proxy server. It was something I used for a program called Stationripper for ripping mp3's off of Slacker/Pandora. No big deal.

Here are the logs:

ComboFix.txt


ComboFix 11-06-06.02 - Owner 06/06/2011 16:36:06.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.524 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
G:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-05-19 18:19 . 2011-06-03 23:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-19 18:18 . 2011-05-19 18:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
2011-05-17 19:20 . 2011-06-06 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-05-17 19:20 . 2011-05-17 19:20 -------- d-----w- c:\program files\Security Task Manager
2011-05-17 17:04 . 2011-05-17 17:04 -------- d-----w- c:\documents and settings\Owner\Application Data\TightVNC
2011-05-17 17:01 . 2011-05-17 17:01 -------- d-----w- c:\documents and settings\NetworkService\Application Data\TightVNC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-05-27 16:45 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-05-27 16:45 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTether"="c:\program files\Mobile Stream\EasyTether\easytthr.exe" [2010-08-30 47432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2008-04-25 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"TotalRecorderScheduler"="c:\program files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-05-12 86016]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2000-11-28 20480]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2000-11-28 24576]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2000-11-28 49152]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2000-11-28 20480]
"\\new5\EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
"KASHNTWSLS97633079044361"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2010-09-16 323584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2010-07-08 815704]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2008-4-25 36953]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-02-04 22:01 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KANTWSLS97633079044361]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^siszpe32.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\siszpe32.exe
backup=c:\windows\pss\siszpe32.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 KANTWSLS97633079044361;Kaseya Agent;c:\program files\Kaseya\Agent\AgentMon.exe [2/4/2010 5:42 PM 745472]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [11/6/2009 3:24 PM 91392]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
R2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [7/8/2010 9:28 AM 815704]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [10/14/2010 10:42 AM 17232]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2/4/2010 5:42 PM 16384]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [3/24/2010 1:57 PM 25856]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 12:44 AM 69692]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe [2/4/2010 6:01 PM 161144]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/27/2010 12:45 PM 39984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472327337-80713695-766477851-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-03 18:00]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3472327337-80713695-766477851-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-03 18:00]
.
2009-10-15 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-06-01 17:51]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\RSLSP.dll
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
DPF: {172826E5-EC1B-402E-9782-02E3D087E008} - hxxps://skyfex.com/download/sf_skyfex.com-download_instmodule.exe
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\mo2ofwud.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AddRemove-Cool Edit Pro 2.1 - c:\program files\coolpro2\cep2unin.exe
AddRemove-HP Officejet All-In-One Series - c:\program files\HP\Digital Imaging\{2D0DF835-98AB-487e-8514-0E0941F728C4}\setup\hpzscr01.exe
AddRemove-Replay Media Catcher 3.02 - c:\windows\Replay Media Catcher\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-06 16:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
.
- - - - - - - > 'lsass.exe'(880)
c:\windows\system32\RSLSP.dll
.
Completion time: 2011-06-06 16:42:55
ComboFix-quarantined-files.txt 2011-06-06 20:42
.
Pre-Run: 96,522,432,512 bytes free
Post-Run: 96,505,257,984 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - A6E6623ADF71C049DD0BC070C5DF6D50

Systemlook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 16:45 on 06/06/2011 by Owner
Administrator - Elevation successful

========== regfind ==========

Searching for "ave.exe"
[HKEY_CURRENT_USER\Control Panel\Desktop]
"SCRNSAVE.EXE"="C:\WINDOWS\system32\logon.scr"
[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\FTPSLAVE.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot]
"SCRNSAVE.EXE"="USR:Control Panel\Desktop"
[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"SCRNSAVE.EXE"="logon.scr"
[HKEY_USERS\S-1-5-19\Control Panel\Desktop]
"SCRNSAVE.EXE"="%SystemRoot%\System32\logon.scr"
[HKEY_USERS\S-1-5-20\Control Panel\Desktop]
"SCRNSAVE.EXE"="%SystemRoot%\System32\logon.scr"
[HKEY_USERS\S-1-5-21-3472327337-80713695-766477851-1003\Control Panel\Desktop]
"SCRNSAVE.EXE"="C:\WINDOWS\system32\logon.scr"
[HKEY_USERS\S-1-5-21-3472327337-80713695-766477851-1003\Software\ORL\VNCHooks\Application_Prefs\FTPSLAVE.EXE]
[HKEY_USERS\S-1-5-18\Control Panel\Desktop]
"SCRNSAVE.EXE"="logon.scr"

Searching for "av.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\cwbunnav.exe]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\cwbunnav.exe]
"Path"="C:\Program Files\IBM\Client Access\cwbunnav.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cwbunnav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cwbunnav.exe]
@="C:\Program Files\IBM\Client Access\cwbunnav.exe"
[HKEY_USERS\S-1-5-21-3472327337-80713695-766477851-1003\Software\Microsoft\IntelliPoint\AppSpecific\cwbunnav.exe]
[HKEY_USERS\S-1-5-21-3472327337-80713695-766477851-1003\Software\Microsoft\IntelliPoint\AppSpecific\cwbunnav.exe]
"Path"="C:\Program Files\IBM\Client Access\cwbunnav.exe"

========== filefind ==========

Searching for "*ave.exe*"
C:\CENTURY\FTPSLAVE.EXE --a---- 101888 bytes [15:58 23/04/2008] [08:36 19/04/1999] CE11DDA52AB7FDDB47F26C8E322D50D4

Searching for "*av.exe*"
C:\Program Files\IBM\Client Access\cwbunnav.exe --a---- 450560 bytes [13:09 09/05/2008] [09:10 28/11/2000] 05915235012CFFFB06312BAF12973730
C:\WINDOWS\Prefetch\CWBUNNAV.EXE-34E8798B.pf --a---- 72202 bytes [12:40 23/05/2011] [12:40 23/05/2011] 2FEAB99CE2168642782F7FE292D84472

-= EOF =-

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 06 June 2011 - 04:28 PM

Hi rgn2000,



[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)


Did you personally disable automatic updates? Advise me in your next reply. Please uninstall MBAM via Add/Remove programs. After restarting your computer, please run mbam-clean.exe from Here .

Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup), On the Update tab, click on Update Now buttons. When done, press Apply and OK the button.



Step1

  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Step2

Please download Malwarebytes' Anti-Malware from Here or Here

  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Step3

Please run the ESET Online Scanner

Note: You will need to use Internet explorer for this scan

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


In your next reply, please post back:


1.MBAM log
2.Eset Online Scanner Report

Let me know if you have any remaining issues on your pc.

#11 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 07 June 2011 - 08:28 PM

I probably did turn off Windows updates, but it was a while ago. The computer is working fine, but I have always had this problem of the 89 or so items that MBAM finds.

Malwarebytes log


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6802

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

6/7/2011 4:09:30 PM
mbam-log-2011-06-07 (16-09-29).txt

Scan type: Quick scan
Objects scanned: 155193
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 89

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\antav\av.exe (Worm.Flooder) -> Delete on reboot.
c:\documents and settings\all users\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\temp\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\localservice\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\owner\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\windows\temp\mtg\av.exe (Trojan.MultipleAV.Gen) -> Delete on reboot.
c:\documents and settings\administrator\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\appdata\local\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\avg\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\avg\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\av.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\local settings\application data\microsoft\windows defender\ave.exe (Rogue.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\templates\avg\av.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\administrator\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\all users\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\default user\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\localservice\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\networkservice\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\documents and settings\owner\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\config\systemprofile\templates\avg\ave.exe (Trojan.MultipleAV) -> Delete on reboot.
c:\windows\system32\avi\av.exe (Backdoor.Bifrose) -> Delete on reboot.

ESET Log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16705 (vista_gdr.080618-1506)
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=31794510ffc456428cc1eaa49301032c
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-07 11:44:33
# local_time=2011-06-07 07:44:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 30291933 30291933 0 0
# compatibility_mode=1024 16777215 100 0 39362914 39362914 0 0
# compatibility_mode=8192 67108863 100 0 28723475 28723475 0 0
# scanned=161769
# found=18
# cleaned=0
# scan_time=11403
C:\Documents and Settings\Owner\My Documents\Downloaded Programs\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloaded Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\backup-12.30.2010_14-42-11_thenaza1.tar.gz JS/TrojanDownloader.Agent.NRL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\backup-8.31.2010_15-38-36_thenaza1.tar.gz JS/TrojanDownloader.Agent.NRL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-8-31-2010.tar.gz multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Downloads\z4root.1.3.0.apk Android/Exploit.RageCage.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081364.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081366.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
G:\Rob\My Documents\Downloaded Programs\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
G:\Rob\My Documents\Downloaded Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
G:\Rob\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe a variant of Win32/Keygen.AF application (unable to clean) 00000000000000000000000000000000 I
G:\Rob\My Documents\Downloads\z4root.1.3.0.apk Android/Exploit.RageCage.A trojan (unable to clean) 00000000000000000000000000000000 I
G:\Rob\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz multiple threats (unable to clean) 00000000000000000000000000000000 I
G:\Website Backup\backup-thenazarians.com-6-11-2010.tar.gz JS/TrojanDownloader.Pegel.BP trojan (unable to clean) 00000000000000000000000000000000 I
G:\Website Backup\backup-thenazarians.com-8-31-2010.tar.gz multiple threats (unable to clean) 00000000000000000000000000000000 I
G:\Website Backup\backup-8.31.2010_15-38-36_thenaza1.tar.gz JS/TrojanDownloader.Agent.NRL trojan (unable to clean) 00000000000000000000000000000000 I

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 07 June 2011 - 09:40 PM

Hi rgn2000,




The MBAM log is a false positive due to the Kaseya software. From the SystemLook and CF logs, your system didn't have any signs of ave.exe or av.exe. The culprit is the Kaseya which might report the offending files still persist in memory.

If you uninstall the Kaseya or disable Kaseya Agent from your system and rerun MBAM log, things should get back to normal. You may try that, and advise me how that goes. Other than that, lets remove some leftovers.


Step1

  • Start OTL from your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.
    :Files
    C:\Documents and Settings\Owner\My Documents\Downloaded Programs\SmitfraudFix
    C:\Documents and Settings\Owner\My Documents\Downloads\backup-12.30.2010_14-42-11_thenaza1.tar.gz 
    C:\Documents and Settings\Owner\My Documents\Downloads\backup-8.31.2010_15-38-36_thenaza1.tar.gz 
    C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz 
    C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-8-31-2010.tar.gz 
    C:\Documents and Settings\Owner\My Documents\Downloads\z4root.1.3.0.apk 
    C:\Documents and Settings\Owner\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe 
    G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081364.exe 
    G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081366.exe 
    G:\Rob\My Documents\Downloaded Programs\SmitfraudFix
    G:\Rob\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe
    G:\Rob\My Documents\Downloads\z4root.1.3.0.apk 
    G:\Rob\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz 
    G:\Website Backup\backup-thenazarians.com-6-11-2010.tar.gz 
    G:\Website Backup\backup-thenazarians.com-8-31-2010.tar.gz 
    G:\Website Backup\backup-8.31.2010_15-38-36_thenaza1.tar.gz 
    
    :reg
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"=-
    
    :Commands
    [CLEARALLRESTOREPOINTS]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.


In your next reply, please post back:

1.OTL delete log

Let me know if you have any remaining issues on your pc.

#13 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 08 June 2011 - 03:02 PM

The computer is running fine and here is the OTL Log:


All processes killed
========== FILES ==========
C:\Documents and Settings\Owner\My Documents\Downloaded Programs\SmitfraudFix folder moved successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\backup-12.30.2010_14-42-11_thenaza1.tar.gz moved successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\backup-8.31.2010_15-38-36_thenaza1.tar.gz moved successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz moved successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\backup-thenazarians.com-8-31-2010.tar.gz moved successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\z4root.1.3.0.apk moved successfully.
C:\Documents and Settings\Owner\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe moved successfully.
G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081364.exe moved successfully.
G:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP1138\A0081366.exe moved successfully.
G:\Rob\My Documents\Downloaded Programs\SmitfraudFix folder moved successfully.
G:\Rob\My Documents\Unrared\Paint Shop Pro X3\Keygen.exe moved successfully.
G:\Rob\My Documents\Downloads\z4root.1.3.0.apk moved successfully.
G:\Rob\My Documents\Downloads\backup-thenazarians.com-12-30-2010.tar.gz moved successfully.
G:\Website Backup\backup-thenazarians.com-6-11-2010.tar.gz moved successfully.
G:\Website Backup\backup-thenazarians.com-8-31-2010.tar.gz moved successfully.
G:\Website Backup\backup-8.31.2010_15-38-36_thenaza1.tar.gz moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au\\NoAutoUpdate deleted successfully.
========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 20394 bytes
->Flash cache emptied: 12459 bytes

User: Owner
->Temp folder emptied: 1507118 bytes
->Temporary Internet Files folder emptied: 9551872 bytes
->Java cache emptied: 443 bytes
->FireFox cache emptied: 77983929 bytes
->Google Chrome cache emptied: 383351422 bytes
->Flash cache emptied: 165536 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2361 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 451.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06082011_154808

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_9d4.dat not found!
C:\Documents and Settings\Owner\Local Settings\Temp\VBE\MSForms.exd moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\WCESLog.log moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF23C.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF2DF4.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF3C8.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF4F9.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF7AB.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF7B6.tmp not found!

Registry entries deleted on Reboot...

#14 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:41 AM

Posted 08 June 2011 - 03:08 PM

Hi rgn2000,



Since the false postitive issue is resolved, your system appears to be clean now. :thumbsup: If you have no remaining concerns on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#15 rgn2000

rgn2000
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 09 June 2011 - 02:14 PM

ok thank you for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users