Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something nasty


  • This topic is locked This topic is locked
20 replies to this topic

#1 fways&greens

fways&greens

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 14 August 2011 - 08:27 PM

One of our computers at home is infected with a virus/trojan/rootkit that is really difficult to figure out and remove. The machine is Windows XP SP 3. It does not show very many symptoms. Down in the Windows Security Center in the bottom right, it says that Windows Update (automatic) is turned off, but it isn't. If I check this in the control panel, it is actually on. The other visible symptom is that we get new tabs automatically opening in web browsers with random commerce pages coming up. The machine also has basically slowed to a crawl.

I have tried many removal methods to no success. I ran rkill.com and its variants but it only removes a svchost.exe. I then tried running malwarebytes mbam. I am able to download mbam and update it, but when I go to run it, it runs for about 20 seconds and then just shuts down. If I try to run it again, the machine says that a file is missing or I don't have privileges. I tried renaming the executable in various ways, but that has no good effect. The same thing has happened when I have tried to run MSE, Panda, Ad-Aware, etc. They start but then immediately terminate. The next time that I try to run them, it says that I don't have sufficient privileges. The exact same thing happens if I start my machine and do this all in safe mode.

Below I will paste the dds.txt logfile. I tried running GMER but the same thing happens with it: It runs for a few seconds but then just terminates. I am not able to rerun it after that. No log file is generated.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Christy at 14:19:32 on 2011-08-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.223 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\OLE232.exe
C:\WINDOWS\system32\atmlib32.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {031766fc-be54-4694-a4b7-2bb1bceffa67} - c:\windows\system32\atmlib32.dll
BHO: {031766fd-be54-4694-a4b7-2bb1bceffa67} - c:\windows\system32\atmlib32.dll
BHO: {03D1DBF7-6908-4A8C-A5BF-398384AD060e} - No File
BHO: {062ecdfb-be54-4694-a4b7-2bb1bceffa67} - c:\windows\system32\atmlib32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [POINTER] point32.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kvuhogan] rundll32.exe "c:\windows\azulemahedila.dll",Startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} - hxxps://www.plaxo.com/down/latest/PlaxoInstall.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203863699328
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38200.4937615741
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{F4814225-511F-47FA-B3B0-751907C2E15C} : DhcpNameServer = 68.87.68.166 68.87.74.166
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
mASetup: {2D943808-C9ED-46A5-B21A-154448781036} - c:\program files\netmeeting\NetMeet.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\christy\application data\mozilla\firefox\profiles\3o36bkcu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-11 366640]
R2 WmdmPmSN32;Portable Media Serial Number Service ;c:\windows\system32\OLE232.exe [2011-7-26 793600]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-11 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
S2 hdmsrv;Windows Hardware Manager;c:\windows\system32\svchost.exe -k krnlsrvc [2002-8-29 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-14 135664]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-08-11 14:07:41 363008 ----a-w- c:\windows\system32\atmlib32.dll
2011-08-11 14:04:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-11 14:04:54 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-11 14:04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-31 20:09:08 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b352f65e-957d-43ba-837a-d002369598ea}\mpengine.dll
2011-07-31 20:09:08 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-31 19:54:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-31 17:19:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-30 21:22:29 -------- d-----w- C:\bd_logs
2011-07-30 00:12:41 -------- d-----w- c:\program files\MMMMalwarebytes' Anti-Malware
2011-07-28 00:34:34 -------- d-----w- c:\program files\MMMalwarebytes' Anti-Malware
2011-07-26 20:12:18 0 ---ha-w- c:\documents and settings\christy\hdznykygan.tmp
2011-07-26 14:54:40 793600 ----a-w- c:\windows\system32\atmlib32.exe
2011-07-26 14:54:31 793600 ----a-w- c:\windows\system32\OLE232.exe
.
==================== Find3M ====================
.
2011-07-17 17:32:42 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2011-05-25 23:12:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 14:21:15.00 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 15 August 2011 - 03:14 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#3 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 16 August 2011 - 10:58 AM

Hello, and thank you very much for your help and assistance.

I was able to get the ESET tool and run a scan last night. It found 250(!) infected files. Unfortunately, a problem happened at the end of this process when I clicked the button to save the results in a text file. My computer just hung after that and I got the spinning hourglass cursor over the ESET application. I wasn't able to do anything else at that point. (By the way, during the scan, I got a Windows error dialog stating that the svchost.exe process had crashed as it was trying to reference very low addressed memory.) I am going to try to run the scan again tonight and will see if I am able to save the log of what it found successfully this time.

#4 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 16 August 2011 - 08:33 PM

Update: Actually the machine didn't hang. It just took a real long time to respond. The machine is so slow and presumably compromised that it's very difficult to do anything. But I was able to get the ESET log. Here it is:

C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Audrey\Local Settings\Application Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\0\6685d300-638042d6 Java/Exploit.CVE-2010-4452.A trojan
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\11\64593cb-3cb59766 multiple threats
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\53\55956235-6adbec06 multiple threats
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\55\9f3c877-228ec022 multiple threats
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\6\283a9d46-414e5ddc multiple threats
C:\Documents and Settings\Christy\Application Data\Sun\Java\Deployment\cache\6.0\9\7be78a09-44de3a85 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Documents and Settings\Christy\Desktop\DesktopStuff\Installer Backups\SmitfraudFix-warning-don't open\Process.exe Win32/PrcView application
C:\Documents and Settings\Christy\Local Settings\Application Data\{82D7E440-696D-42D1-A343-6FEBF29F89EA}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Christy\Local Settings\Temp\5D.tmp a variant of Win32/Kryptik.OAU trojan
C:\Documents and Settings\Christy\Local Settings\Temp\jar_cache22597.tmp multiple threats
C:\Documents and Settings\Christy\Local Settings\Temp\tmph5632719488727257151.tmp a variant of Win32/Kryptik.QUU trojan
C:\Documents and Settings\Christy\Local Settings\Temp\plugtmp-4\plugin-mrthc.pdf PDF/Exploit.Pidief.PBK.Gen trojan
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\KQ1UEAW5\scanner.powerantivirus-2009[1].htm Win32/Adware.Antivirus2008 application
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\NQZLL56W\35[1].htm Win32/Adware.Antivirus2008 application
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Mitchell\Local Settings\Application Data\{2EC3897C-6632-484A-A17C-2D3999350A35}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Mitchell\Local Settings\Temp\plugtmp-5\plugin-bctdtf.pdf PDF/Exploit.Pidief.PBK.Gen trojan
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\4PQ7052J\pub[1].crt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\pub[1].crt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\status[1].txt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\status[2].txt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\pub[1].crt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\pub[2].crt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\C9M7KX6B\status[1].txt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\pub[1].crt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\status[1].txt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\status[2].txt Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\KPABW9QF\topbuttons[1] Win32/Adware.SpywareProtect2009 application
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Tommy\Application Data\Sun\Java\Deployment\cache\6.0\29\3ef2dc5d-79b6b810 multiple threats
C:\Documents and Settings\Tommy\Local Settings\Application Data\{312C6904-A298-4D0C-A6A9-324A662647E9}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1104\A0246480.exe a variant of Win32/Kryptik.OAU trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0264765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0265765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0266765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0267765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0268765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0269765.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0269777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0270777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0271777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0272777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0273777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0274777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0274791.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0274792.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0274793.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0274794.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275777.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275806.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275817.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275818.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275819.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0275820.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276806.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276820.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276821.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276822.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276823.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276826.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276831.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276840.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276858.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0276870.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0277870.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0278870.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1124\A0279870.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280870.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280895.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280902.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280903.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280905.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280906.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280910.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280922.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280933.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280934.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280935.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280936.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280951.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280969.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280979.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280980.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280981.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0280982.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0281000.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0282000.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0283000.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0284000.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0284014.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0285014.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286014.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286022.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286023.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286024.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286025.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286045.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286054.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286055.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286056.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286057.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286059.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286063.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286067.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286071.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286075.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286079.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286083.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286087.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286091.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286095.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286105.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286109.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286122.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286123.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286124.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0286125.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287109.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287113.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287117.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287126.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287127.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287128.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287129.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287139.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287149.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287150.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287151.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0287152.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288139.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288155.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288156.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288157.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288177.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288181.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288185.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288213.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288215.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288230.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288231.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288232.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288246.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0288261.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0289246.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0289279.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0289291.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0289296.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0290296.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0290308.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0290314.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0291314.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1125\A0291324.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0291338.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0291348.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292348.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292360.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292366.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292447.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292453.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292464.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292470.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292480.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0292488.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293488.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293506.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293516.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293522.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293532.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0293547.dll a variant of Win32/Kryptik.QSR trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0294532.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295532.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295558.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295559.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295560.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295561.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295562.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295563.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0295578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0296578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0297578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0298578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0299578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0300578.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0300590.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0301590.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0302590.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0303590.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0303601.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0304601.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0304614.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305614.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305624.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305625.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305626.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305627.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0305628.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306614.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306628.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306629.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306630.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306631.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0306632.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0307614.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0307630.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308630.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308640.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308641.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308642.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308643.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0308644.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0309630.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1126\A0310630.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\WINDOWS\SYSTEM32\atmlib32.dll a variant of Win32/Kryptik.QSR trojan
C:\WINDOWS\SYSTEM32\atmlib32.exe a variant of Win32/Kryptik.QUU trojan
C:\WINDOWS\SYSTEM32\OLE232.exe a variant of Win32/Kryptik.QUU trojan
C:\WINDOWS\SYSTEM32\DRIVERS\cdrom.sys a variant of Win32/Rootkit.Kryptik.DM trojan
C:\WINDOWS\Temp\AcrE3B9.tmp JS/Exploit.Pdfka.PCS.Gen trojan
Operating memory a variant of Win32/Kryptik.QUU trojan

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 17 August 2011 - 02:49 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#6 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 17 August 2011 - 10:18 PM

Hello,

Wow, I've had an interesting evening working through the ComboFix. I downloaded the program and started it running. Saving the registry originally didn't work (process just terminated) but it pushed onward to the Recovery Console. That seemed to work but with a few corrupted files and folders. I then got a warning dialog from ComboFix saying that the machine has Rootkit.ZeroAccess in the tcp/ip stack, a particularly nasty problem and a warning to reboot if things don't work. It then said that ComboFix detected a Rootkit and needs to auto reboot and it did so. Upon returning, it said PV.cfxxe failed but then it did successfully back up the registry and moved to the scan. In it, it found many corrupted files and folders, then it deleted many files and folders. It also said that the System file was infected and attempted to restore sys32\drivers\cdrom.sys and that it did so successfully. It then did another auto reboot and it created the log (shown below). I restarted the machine to see if it would be OK and it automatically ran CHKDSK and found many problems, but I think it fixed them. Upon logging in, it did seem like the machine was in good shape. I could not detect the infection symptoms and normal applications seemed to be working fine. This whole process took about 2 hours.

Should I do further steps at this point? Rerun the ESET scanner? Run mbam and other virus scans?




ComboFix 11-08-17.03 - Christy 08/17/2011 20:51:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.321 [GMT -4:00]
Running from: c:\documents and settings\Christy\Desktop\Terminator.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Audrey\Application
Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}
c:\documents and settings\Audrey\Application
Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest
c:\documents and settings\Audrey\Application
Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar
c:\documents and settings\Audrey\Application
Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\defaults\preferences\xulcache.js
c:\documents and settings\Audrey\Application
Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\install.rdf
c:\documents and settings\Audrey\Local Settings\Application
Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}
c:\documents and settings\Audrey\Local Settings\Application
Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\chrome.manifest
c:\documents and settings\Audrey\Local Settings\Application
Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\chrome\content\_cfg.js
c:\documents and settings\Audrey\Local Settings\Application
Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\chrome\content\overlay.xul
c:\documents and settings\Audrey\Local Settings\Application
Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\install.rdf
c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}
c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest
c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar
c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\defaults\preferences\xulcache.js
c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\install.rdf
c:\documents and settings\Christy\hdznykygan.tmp
c:\documents and settings\Christy\Recent\Thumbs.db
c:\documents and settings\Christy\WINDOWS
c:\documents and settings\faker\Application
Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}
c:\documents and settings\faker\Application
Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest
c:\documents and settings\faker\Application
Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar
c:\documents and settings\faker\Application
Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\defaults\preferences\xulcache.js
c:\documents and settings\faker\Application
Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\install.rdf
c:\windows\$NtUninstallKB29882$
c:\windows\$NtUninstallKB29882$\2234566620
c:\windows\$NtUninstallKB29882$\2632128422\@.dll
c:\windows\$NtUninstallKB29882$\2632128422\bckfg.tmp
c:\windows\$NtUninstallKB29882$\2632128422\cfg.ini
c:\windows\$NtUninstallKB29882$\2632128422\Desktop.ini
c:\windows\$NtUninstallKB29882$\2632128422\keywords
c:\windows\$NtUninstallKB29882$\2632128422\L\rnmncxam
c:\windows\$NtUninstallKB29882$\2632128422\lsflt7.ver
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\5705.exe
c:\windows\system32\atmlib32.dll
C:\xcrashdump.dat
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and
disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-18 to
2011-08-18 )))))))))))))))))))))))))))))))
.
.
2011-08-18 01:11 . 2008-04-14
00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2011-08-18 00:17 . 2011-08-18
00:17 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-08-16 01:04 . 2011-08-16 01:04 -------- d-----w- c:\program files\ESET
2011-07-31 20:09 . 2011-05-24
23:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-07-31 17:27 . 2011-07-31 17:28 -------- d-----w- c:\documents and
settings\faker
2011-07-31 17:19 . 2011-07-31 17:19 -------- d-----w- c:\program
files\Spybot - Search & Destroy
2011-07-30 21:22 . 2011-07-31 14:35 -------- d-----w- C:\bd_logs
2011-07-30 00:12 . 2011-07-31 17:23 -------- d-----w- c:\program
files\MMMMalwarebytes' Anti-Malware
2011-07-28 00:34 . 2011-07-28 00:49 -------- d-----w- c:\program
files\MMMalwarebytes' Anti-Malware
2011-07-27 14:29 . 2011-07-27 14:29 -------- d-----w- c:\documents and
settings\NetworkService\Local Settings\Application Data\Adobe
2011-07-26 14:54 . 2011-07-26
14:53 793600 ----a-w- c:\windows\system32\atmlib32.exe
2011-07-26 14:54 . 2011-07-26
14:53 793600 ----a-w- c:\windows\system32\OLE232.exe
2011-07-26 14:00 . 2011-07-26 14:00 -------- d-sh--w- c:\documents and
settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-17 17:32 . 2011-05-21
21:00 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2011-05-25 23:12 . 2011-05-25
23:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 04:17 . 2011-06-22 15:17 142296 ----a-w- c:\program
files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe"
[2003-06-18 200704]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2009-05-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe"
[2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update
Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe"
[2003-08-27 204800]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-05-26 26112]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
[2003-10-06 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
[2003-10-06 118784]
"LogitechCommunicationsManager"="c:\program files\Common
Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program
files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe"
[2006-06-26 243248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"dscactivate"="c:\program files\Dell Support
Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java
Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online
9.0\aoltray.exe [2004-5-26 36953]
Microsoft Office.lnk - c:\program files\Microsoft
Office\Office\OSA9.EXE [1999-2-17 65588]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe
[2003-10-2 57344]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-7-25 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56572:TCP"= 56572:TCP:Pando Media Booster
"56572:UDP"= 56572:UDP:Pando Media Booster
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
.
R2 WmdmPmSN32;Portable Media Serial Number Service
;c:\windows\SYSTEM32\OLE232.exe [7/26/2011 10:54 AM 793600]
S2 gupdate;Google Update Service (gupdate);c:\program
files\Google\Update\GoogleUpdate.exe [2/14/2010 11:20 AM 135664]
S2 hdmsrv;Windows Hardware Manager;c:\windows\System32\svchost.exe -k
krnlsrvc [8/29/2002 6:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program
files\Google\Update\GoogleUpdate.exe [2/14/2010 11:20 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 15:20]
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 15:20]
.
2004-05-29 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
.
2011-08-18 c:\windows\Tasks\User_Feed_Synchronization-{951ED211-83B4-46F1-BEFC-11A4DE85A787}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
2011-08-18 c:\windows\Tasks\User_Feed_Synchronization-{AEB0A0A3-40CB-4388-B57B-99DBDFE9DE2E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
FF - ProfilePath - c:\documents and settings\Christy\Application
Data\Mozilla\Firefox\Profiles\3o36bkcu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{031766FC-BE54-4694-A4B7-2BB1BCEFFA67} - c:\windows\system32\atmlib32.dll
BHO-{031766FD-BE54-4694-A4B7-2BB1BCEFFA67} - c:\windows\system32\atmlib32.dll
BHO-{03D1DBF7-6908-4A8C-A5BF-398384AD060e} - (no file)
BHO-{062ECDFB-BE54-4694-A4B7-2BB1BCEFFA67} - c:\windows\system32\atmlib32.dll
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-POINTER - point32.exe
HKLM-Run-Kvuhogan - c:\windows\azulemahedila.dll
HKLM_ActiveSetup-{2D943808-C9ED-46A5-B21A-154448781036} - c:\program
files\NetMeeting\NetMeet.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by
Gmer, http://www.gmer.net
Rootkit scan 2011-08-17 21:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device
Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\windows\system32\atmlib32.exe
c:\program files\Microsoft Hardware\Mouse\point32.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\QuickCam10\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-17 21:50:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-18 01:50
.
Pre-Run: 37,763,620,864 bytes free
Post-Run: 38,928,023,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /NoExecute=OptIn

#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 19 August 2011 - 03:08 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#8 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 21 August 2011 - 03:43 AM

OK, thanks. Here is OTL.txt:


OTL logfile created on: 8/21/2011 4:14:00 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\Christy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 144.40 Mb Available Physical Memory | 28.31% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.23% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 36.22 Gb Free Space | 48.65% Space Free | Partition Type: NTFS

Computer Name: SAMANTHA | User Name: Christy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/21 04:12:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Christy\Desktop\OTL.scr
PRC - [2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) -- C:\WINDOWS\SYSTEM32\OLE232.exe
PRC - [2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) -- C:\WINDOWS\SYSTEM32\atmlib32.exe
PRC - [2011/06/16 00:17:34 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/15 12:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2006/06/26 10:34:58 | 000,166,448 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\QuickCam10\COCIManager.exe
PRC - [2006/06/26 10:34:40 | 000,614,960 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
PRC - [2006/06/26 10:33:32 | 000,243,248 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
PRC - [2006/06/26 09:46:04 | 000,497,200 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
PRC - [2004/12/17 09:00:00 | 000,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2004/05/26 00:57:48 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2003/10/06 11:05:40 | 000,118,784 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2003/08/13 11:27:40 | 000,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe
PRC - [2003/08/06 17:58:26 | 001,376,360 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\acsd.exe
PRC - [2003/02/13 02:01:00 | 000,155,648 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
PRC - [2003/01/10 18:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/16 00:17:34 | 001,850,328 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\SYSTEM32\msdmo.dll
MOD - [2006/06/26 10:34:46 | 000,988,720 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10Res.dll
MOD - [2006/06/26 10:34:40 | 000,614,960 | ---- | M] () -- C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
MOD - [2003/10/06 11:05:42 | 000,368,640 | ---- | M] () -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\CoreDll.dll
MOD - [2003/10/06 11:05:42 | 000,098,304 | ---- | M] () -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\TrackUtils.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (hdmsrv)
SRV - [2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) [Auto | Running] -- C:\WINDOWS\SYSTEM32\OLE232.exe -- (WmdmPmSN32)
SRV - [2007/03/07 16:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/06/26 10:33:56 | 000,091,696 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2006/06/26 10:33:42 | 000,099,888 | ---- | M] () [Auto | Stopped] -- c:\Program Files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2003/08/06 17:58:26 | 001,376,360 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2003/01/10 18:13:04 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - [2011/07/17 13:32:42 | 000,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/06/26 10:33:40 | 000,023,472 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2006/06/26 10:33:36 | 001,952,816 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVMVdrv.sys -- (LVMVDrv)
DRV - [2006/06/26 10:33:28 | 001,587,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Lvckap.sys -- (LVcKap)
DRV - [2006/06/22 18:29:46 | 000,038,960 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LVUSBSta.sys -- (LVUSBSta)
DRV - [2006/06/22 18:29:28 | 000,720,176 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LV302AV.SYS -- (PID_08A0) Logitech QuickCam IM(PID_08A0)
DRV - [2006/06/22 18:29:27 | 000,012,080 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - [2004/08/04 01:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/04 01:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/04 01:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/04 01:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/04 01:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/04 01:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/04 01:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/04 01:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/04 01:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/04 01:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/04 01:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/05/26 00:57:50 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/03/05 23:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2004/03/05 23:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2004/03/05 23:13:52 | 000,060,949 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2004/03/05 23:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2003/01/10 18:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/08/23 03:33:10 | 000,010,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ipfilter.sys -- (IPFilter)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = FC 66 17 03 54 BE 94 46 A4 B7 2B B1 BC EF FA 67 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.msn.com"
FF - prefs.js..extensions.enabledItems: {82D7E440-696D-42D1-A343-6FEBF29F89EA}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{82D7E440-696D-42D1-A343-6FEBF29F89EA}: C:\Documents and Settings\Christy\Local Settings\Application Data\{82D7E440-696D-42D1-A343-6FEBF29F89EA} [2010/01/26 16:52:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{42EA6E81-AE71-4013-8A18-176EDD54762D}: C:\Documents and Settings\New\Local Settings\Application Data\{42EA6E81-AE71-4013-8A18-176EDD54762D}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/22 11:17:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/08 10:46:44 | 000,000,000 | ---D | M]

[2009/06/29 18:15:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Christy\Application Data\Mozilla\Extensions
[2011/08/17 21:10:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions
[2011/08/17 22:13:10 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}
[2011/06/22 11:17:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/23 15:20:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/23 15:25:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
File not found (No name found) --
[2010/09/23 15:19:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/16 00:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/08/17 21:37:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {031766FC-BE54-4694-A4B7-2BB1BCEFFA67} - C:\WINDOWS\SYSTEM32\atmlib32.dll ()
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam10\QuickCam10.exe ()
O4 - HKLM..\Run: [LVCOMSX] C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe (Logitech Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [StorageGuard] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} https://www.plaxo.com/down/latest/PlaxoInstall.cab (PlxInstall Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203863699328 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38200.4937615741 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Christy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Christy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 14:36:02 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/21 04:12:52 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Christy\Desktop\OTL.scr
[2011/08/17 20:30:46 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/08/17 20:25:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/08/17 20:25:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/08/17 20:25:35 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/08/17 20:25:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/08/17 20:25:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/08/17 20:25:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/08/17 20:24:26 | 004,176,704 | R--- | C] (Swearware) -- C:\Documents and Settings\Christy\Desktop\Terminator.exe
[2011/08/17 20:17:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/08/15 21:04:29 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/08/15 21:03:46 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Christy\Desktop\esetsmartinstaller_enu.exe
[2011/08/14 13:59:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Christy\Start Menu\Programs\Administrative Tools
[2011/08/14 13:56:29 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Christy\Desktop\dds.scr
[2011/08/11 10:01:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Christy\Desktop\DesktopStuff
[2011/07/31 15:35:02 | 001,047,656 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and Settings\Christy\Desktop\fake-mb.com
[2011/07/31 13:19:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/31 13:19:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/07/31 13:12:47 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Christy\Desktop\spybotsd162.exe
[2011/07/30 17:22:29 | 000,000,000 | ---D | C] -- C:\bd_logs
[2011/07/29 20:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\MMMMalwarebytes' Anti-Malware
[2011/07/29 17:26:08 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Christy\Desktop\TDSSKiller.exe
[2011/07/27 20:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\MMMalwarebytes' Anti-Malware
[2011/07/27 20:21:31 | 009,466,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Christy\Desktop\firefox.exe
[2011/07/27 10:30:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/07/27 10:29:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/07/27 10:29:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/07/26 11:39:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2011/07/26 10:54:40 | 000,793,600 | ---- | C] (Axes Array) -- C:\WINDOWS\System32\atmlib32.exe
[2011/07/26 10:54:31 | 000,793,600 | ---- | C] (Axes Array) -- C:\WINDOWS\System32\OLE232.exe
[2011/07/25 16:35:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/07/25 15:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Christy\*.tmp files -> C:\Documents and Settings\Christy\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/21 04:18:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{AEB0A0A3-40CB-4388-B57B-99DBDFE9DE2E}.job
[2011/08/21 04:16:03 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{951ED211-83B4-46F1-BEFC-11A4DE85A787}.job
[2011/08/21 04:14:09 | 000,380,350 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/08/21 04:14:09 | 000,052,764 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/08/21 04:12:43 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Christy\Desktop\OTL.scr
[2011/08/17 21:58:59 | 000,363,008 | ---- | M] () -- C:\WINDOWS\System32\atmlib32.dll
[2011/08/17 21:37:20 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2011/08/17 20:30:55 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2011/08/17 20:24:13 | 004,176,704 | R--- | M] (Swearware) -- C:\Documents and Settings\Christy\Desktop\Terminator.exe
[2011/08/17 20:17:35 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/08/16 07:02:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/15 21:03:44 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Christy\Desktop\esetsmartinstaller_enu.exe
[2011/08/14 13:59:05 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Christy\defogger_reenable
[2011/08/14 13:56:53 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\gmer.zip
[2011/08/14 13:56:24 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Christy\Desktop\dds.scr
[2011/08/14 13:55:52 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\Defogger.exe
[2011/08/11 10:05:52 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\mybam.exe.lnk
[2011/07/31 15:42:48 | 000,002,855 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\Shortcut to fake-mb.com.pif
[2011/07/31 15:29:25 | 001,008,041 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\WiNlOgOn.exe
[2011/07/31 15:29:06 | 001,008,041 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\rkill.com
[2011/07/31 13:19:24 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\Spybot - Search & Destroy.lnk
[2011/07/31 13:14:21 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Christy\Desktop\spybotsd162.exe
[2011/07/31 12:49:19 | 001,388,094 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\tdsskiller.zip
[2011/07/30 11:16:26 | 000,013,385 | ---- | M] () -- C:\WINDOWS\Pgibevipejid.dat
[2011/07/29 17:26:08 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Christy\Desktop\TDSSKiller.exe
[2011/07/27 20:22:11 | 009,466,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Christy\Desktop\firefox.exe
[2011/07/27 20:16:03 | 001,008,041 | ---- | M] () -- C:\Documents and Settings\Christy\Desktop\uSeRiNiT.exe
[2011/07/26 10:54:40 | 000,000,066 | ---- | M] () -- C:\WINDOWS\System32\784957101
[2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) -- C:\WINDOWS\System32\OLE232.exe
[2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) -- C:\WINDOWS\System32\atmlib32.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Christy\*.tmp files -> C:\Documents and Settings\Christy\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/17 21:58:58 | 000,363,008 | ---- | C] () -- C:\WINDOWS\System32\atmlib32.dll
[2011/08/17 20:30:55 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/08/17 20:30:50 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/08/17 20:25:35 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/08/17 20:25:35 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/08/17 20:25:35 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/08/17 20:25:35 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/08/17 20:25:35 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/14 14:25:16 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\gmer.exe
[2011/08/14 13:59:05 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Christy\defogger_reenable
[2011/08/14 13:57:06 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\gmer.zip
[2011/08/14 13:56:01 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\Defogger.exe
[2011/08/13 16:35:44 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/11 10:05:52 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\mybam.exe.lnk
[2011/07/31 15:55:36 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/07/31 15:42:48 | 000,002,855 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\Shortcut to fake-mb.com.pif
[2011/07/31 15:29:25 | 001,008,041 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\WiNlOgOn.exe
[2011/07/31 13:19:24 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\Spybot - Search & Destroy.lnk
[2011/07/31 12:49:47 | 001,388,094 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\tdsskiller.zip
[2011/07/27 20:16:07 | 001,008,041 | ---- | C] () -- C:\Documents and Settings\Christy\Desktop\uSeRiNiT.exe
[2011/07/26 10:54:31 | 000,000,066 | ---- | C] () -- C:\WINDOWS\System32\784957101
[2011/04/27 19:40:56 | 000,016,280 | -HS- | C] () -- C:\Documents and Settings\Christy\Local Settings\Application Data\6s7j3n5y784145qp541bq567xiv72586o528c6
[2011/04/27 19:40:56 | 000,016,280 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6s7j3n5y784145qp541bq567xiv72586o528c6
[2011/03/15 15:28:53 | 000,017,140 | -HS- | C] () -- C:\Documents and Settings\Christy\Local Settings\Application Data\3697761758
[2011/03/15 15:28:53 | 000,017,140 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3697761758
[2011/03/11 20:44:48 | 000,018,152 | -HS- | C] () -- C:\Documents and Settings\Christy\Local Settings\Application Data\3452207138
[2011/03/11 20:44:48 | 000,018,152 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\3452207138
[2010/11/23 09:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2010/11/23 09:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/10/29 15:03:14 | 000,000,052 | ---- | C] () -- C:\WINDOWS\wldtlk19.ini
[2010/10/14 16:40:22 | 000,001,073 | ---- | C] () -- C:\WINDOWS\tlknw19.ini
[2010/09/10 08:53:40 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/21 13:44:46 | 000,182,272 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2010/01/26 16:52:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Kcepofokeyibewer.bin
[2010/01/26 16:52:53 | 000,013,385 | ---- | C] () -- C:\WINDOWS\Pgibevipejid.dat
[2009/06/27 08:05:33 | 000,001,080 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2007/11/06 14:19:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2007/11/06 14:11:05 | 000,000,087 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2006/10/26 20:12:25 | 000,022,334 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/06/26 10:33:40 | 000,023,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2005/06/23 23:04:11 | 000,000,197 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2005/06/23 19:35:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/05/08 16:17:48 | 000,000,327 | ---- | C] () -- C:\WINDOWS\tsac.ini
[2005/05/08 16:14:55 | 000,095,232 | ---- | C] () -- C:\WINDOWS\UNTSAC.EXE
[2005/05/08 16:14:55 | 000,002,552 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2005/05/08 16:14:52 | 000,000,190 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/03/20 21:09:44 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2005/03/20 21:09:44 | 000,040,129 | ---- | C] () -- C:\WINDOWS\iccsigs.dat
[2005/03/20 21:09:44 | 000,000,149 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2005/03/20 21:07:36 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/12/06 08:10:31 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Christy\Local Settings\Application Data\fusioncache.dat
[2004/11/24 11:43:48 | 000,000,085 | ---- | C] () -- C:\WINDOWS\epro.ini
[2004/08/13 16:31:55 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Christy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/12 14:31:13 | 000,005,632 | R--- | C] () -- C:\WINDOWS\System32\CNMVSya.DLL
[2004/07/12 14:30:50 | 000,000,356 | R--- | C] () -- C:\WINDOWS\System32\CNCASv50.ini
[2004/07/12 14:30:36 | 000,000,462 | R--- | C] () -- C:\WINDOWS\System32\CNCMP50.INI
[2004/06/28 15:05:17 | 000,000,030 | ---- | C] () -- C:\WINDOWS\INTURS.DAT
[2004/06/26 12:20:45 | 000,000,290 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/06/26 12:20:40 | 000,000,231 | ---- | C] () -- C:\WINDOWS\KA.INI
[2004/06/26 12:13:45 | 000,032,768 | ---- | C] () -- C:\WINDOWS\HulaTech.exe
[2004/06/26 12:13:45 | 000,000,085 | ---- | C] () -- C:\WINDOWS\Hulabee.ini
[2004/06/25 17:41:21 | 000,001,835 | ---- | C] () -- C:\WINDOWS\Disney.ini
[2004/06/25 16:31:18 | 000,001,055 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/06/10 16:37:48 | 000,000,064 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2004/06/10 16:37:47 | 000,001,426 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2004/06/10 16:37:12 | 000,002,509 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/06/06 16:32:08 | 000,000,752 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/05/26 01:09:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/05/26 01:04:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/05/26 01:01:18 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/05/26 00:56:53 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/05/26 00:55:36 | 000,000,272 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/05/26 00:45:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/05/26 00:44:00 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/05/26 00:43:44 | 000,380,350 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/05/26 00:43:44 | 000,052,764 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/05/26 00:37:42 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/01/23 10:05:02 | 000,237,552 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/01/23 10:03:50 | 000,000,791 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2003/11/20 14:39:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/09/03 14:35:18 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 14:31:48 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 09:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 09:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[1980/01/01 01:00:00 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\igfxtray.exe
[1980/01/01 01:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\hkcmd.exe
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2005/05/05 09:25:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2010/12/15 21:19:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/11/23 09:10:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2008/01/31 09:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/01/30 13:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/05/26 00:58:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/02/04 19:21:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/12/25 13:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2004/07/19 16:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\Canon
[2004/06/26 12:14:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\Hulabee
[2005/01/24 10:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\Leadertech
[2010/12/16 18:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\LolClient
[2004/10/11 11:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\Nova Development
[2010/01/30 19:55:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\SSH
[2007/04/11 16:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Christy\Application Data\Viewpoint
[2004/05/28 20:06:19 | 000,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2011/08/21 04:16:03 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{951ED211-83B4-46F1-BEFC-11A4DE85A787}.job
[2011/08/21 04:18:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{AEB0A0A3-40CB-4388-B57B-99DBDFE9DE2E}.job

========== Purity Check ==========



< End of report >

#9 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 21 August 2011 - 03:47 AM

And here is Extras.txt:

OTL Extras logfile created on: 8/21/2011 4:14:00 AM - Run 1
OTL by OldTimer - Version 3.2.26.5 Folder = C:\Documents and Settings\Christy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 144.40 Mb Available Physical Memory | 28.31% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.23% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 36.22 Gb Free Space | 48.65% Space Free | Partition Type: NTFS

Computer Name: SAMANTHA | User Name: Christy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56572:TCP" = 56572:TCP:*:Enabled:Pando Media Booster
"56572:UDP" = 56572:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"56572:TCP" = 56572:TCP:*:Enabled:Pando Media Booster
"56572:UDP" = 56572:UDP:*:Enabled:Pando Media Booster
"8381:TCP" = 8381:TCP:*:Enabled:League of Legends Launcher
"8381:UDP" = 8381:UDP:*:Enabled:League of Legends Launcher

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\SYSTEM32\dpvsetup.exe" = C:\WINDOWS\SYSTEM32\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe" = C:\Program Files\Red Storm Entertainment\Ghost Recon\GhostRecon.exe:*:Enabled:GhostRecon -- ()
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}" = Microsoft IntelliPoint 4.0
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{211C4AB9-E3FD-44CE-A495-75B8F545886A}" = Backyard Football 2004
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 21
"{2FEA102C-F535-4513-009B-57B165013C18}" = Tiger Woods PGA TOUR 08
"{3195D3EF-0472-452B-8F79-6B07A040D301}" = League of Legends
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{4669544E-20E4-4E56-8B44-2E6E1200051F}" = Canon MP Toolbox 4.1
"{492E1D84-D7BF-4FA2-A26A-30AFC89EF547}" = Tiger Woods PGA TOUR 2003
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{58F8C6D9-5B55-486A-A322-4E8D87670031}" = Canon MP Drivers
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6DA67AE6-8127-4A01-9A65-2587657B0678}" = Animated Software Co.'s Statistics Explained
"{703DE3AE-513C-11D6-B2F9-0002A5E32BEF}" = Pinball Panic
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7C5B4583-7CBF-4289-B195-03B553959DEA}" = VoiceOver Kit
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8AC049F7-1383-45C3-9E7D-F93CA667F9E1}" = UMVPLStandalone
"{8BBA35B6-E1A9-4FE0-892B-8F7980584D52}" = NetZero Internet and Voice Offer
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90150409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Access 2003
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AEDDF5A3-29CE-11D5-A8C2-000102246AAE}" = ubi.com
"{B196519A-A2AC-443E-84D1-F336B4E8F304}" = BIONICLE
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BCB8D603-985E-4765-B4AB-B4B991A535B7}" = Finding Nemo UWF
"{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C62D7344-8709-4443-9C95-F90659CBC27F}" = Art Explosion Publisher Pro
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}" = iTunes
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D89EF3B3-6F17-4665-B7A9-A4235A6DC787}" = Ghost Recon
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{EA516024-D84D-41F1-814F-83175A6188F2}" = Logitech Video Enumerator
"{EC42ED6A-751D-45C0-A4F9-8CD00E4690FC}" = Logitech QuickCam
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"6th" = Geometry 7.0
"82A44D22-9452-49FB-00FB-CEC7DCAF7E23" = EA SPORTS online 2008
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.0 Limited Edition" = Adobe Photoshop 5.0 Limited Edition
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"alg1" = Algebra 1 7.0
"alg2" = Algebra 2 7.0
"algbstr" = Algebra Booster 2.5
"America Online us" = America Online (Choose which version to remove)
"AolCoach" = AOL Coach Version 1.0(Build:20030807.3)
"Blue's Reading Time Activities" = Blue's Reading Time Activities
"bm1" = Basic Math 1 7.0
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"ESET Online Scanner" = ESET Online Scanner v3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{211C4AB9-E3FD-44CE-A495-75B8F545886A}" = Backyard Football 2004
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{BCB8D603-985E-4765-B4AB-B4B991A535B7}" = Finding Nemo: Nemo's Underwater World of Fun
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"JSLG_PH" = JumpStart Learning Games Phonics
"Matchbox Emergency Patrol" = Matchbox® Emergency Patrol™
"Mickey Mouse Kindergarten" = Disney's Mickey Mouse Kindergarten
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mike's Monstrous Adventure Preview" = Mike's Monstrous Adventure Preview
"Mind Power™ Math - Calculus" = Mind Power™ Math - Calculus
"Mini Golf" = Mini Golf
"ML GA HS Math 1" = ML GA HS Math 1
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Plants vs. Zombies" = Plants vs. Zombies
"prealg" = Pre-Algebra 7.0
"PROSet" = Intel® PRO Network Adapters and Drivers
"QcDrv" = Logitech® Camera Driver
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TRIG" = Trigonometry 7.0
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"XBTB00977.XBTB00977Toolbar" = Leopard Search Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/11/2011 9:54:47 AM | Computer Name = SAMANTHA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/11/2011 3:37:02 PM | Computer Name = SAMANTHA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module urlmon.dll, version 8.0.6001.19019, fault address 0x0002df6e.

Error - 8/12/2011 4:20:30 PM | Computer Name = SAMANTHA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module mshtml.dll, version 8.0.6001.19019, fault address 0x00109434.

Error - 8/12/2011 7:57:02 PM | Computer Name = SAMANTHA | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt>
with error: The connection with the server was terminated abnormally

Error - 8/12/2011 7:57:02 PM | Computer Name = SAMANTHA | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt>
with error: This network connection does not exist.

Error - 8/12/2011 7:57:02 PM | Computer Name = SAMANTHA | Source = crypt32 | ID = 131077
Description = Failed auto update retrieval of third-party root certificate from:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212.crt>
with error: This network connection does not exist.

Error - 8/13/2011 6:41:30 AM | Computer Name = SAMANTHA | Source = MsiInstaller | ID = 11704
Description = Product: WebFldrs XP -- Error 1704. An installation for Microsoft
Office 2000 Premium is currently suspended. You must undo the changes made by that
installation to continue. Do you want to undo those changes?

Error - 8/13/2011 6:57:14 AM | Computer Name = SAMANTHA | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\faker\Desktop\Ad-Aware90Install.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 8/16/2011 7:14:14 AM | Computer Name = SAMANTHA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module Flash9d.ocx, version 9.0.47.0, fault address 0x00123790.

Error - 8/17/2011 8:17:09 PM | Computer Name = SAMANTHA | Source = MsiInstaller | ID = 11704
Description = Product: Microsoft Security Client -- Error 1704. An installation
for Microsoft Office 2000 Premium is currently suspended. You must undo the changes
made by that installation to continue. Do you want to undo those changes?

[ System Events ]
Error - 8/17/2011 8:20:05 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:20:05 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:20:08 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:32:24 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:40:02 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:44:30 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 8/17/2011 8:48:21 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%5

Error - 8/17/2011 8:48:21 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Hardware Manager
service to connect.

Error - 8/17/2011 9:37:14 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7000
Description = The Logitech Process Monitor service failed to start due to the following
error: %%5

Error - 8/17/2011 9:37:14 PM | Computer Name = SAMANTHA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Hardware Manager
service to connect.


< End of report >

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 21 August 2011 - 02:19 PM

Good evening. :)

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

Let me know how you get on and how the PC is behaving afterwards.

So long, and thanks for all the fish.

 

 


#11 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 22 August 2011 - 08:20 PM

Hi,
I've taken these steps and things seem to be working just fine. Thank you very much for all your help. I really appreciate it.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 23 August 2011 - 03:03 PM

Good evening. :)

You've got what look like a few malicious files on your system, so i'd like you to run an online scan to see what ESET thinks.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#13 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 24 August 2011 - 10:11 PM

Here's what the new ESET scanner run found:

C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Christy\Desktop\DesktopStuff\Installer Backups\SmitfraudFix-warning-don't open\Process.exe Win32/PrcView application
C:\Documents and Settings\Christy\Local Settings\Application Data\{82D7E440-696D-42D1-A343-6FEBF29F89EA}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Mitchell\Local Settings\Application Data\{2EC3897C-6632-484A-A17C-2D3999350A35}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar JS/Agent.NDJ trojan
C:\Documents and Settings\Tommy\Local Settings\Application Data\{312C6904-A298-4D0C-A6A9-324A662647E9}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Audrey\Local Settings\Application Data\{A80CC27B-7879-4171-8FF9-875EACE2374C}\chrome\content\overlay.xul.vir probably a variant of Win32/Agent.NVQFFQI trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\atmlib32.dll.vir a variant of Win32/Kryptik.QSR trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\cdrom.sys.vir a variant of Win32/Rootkit.Kryptik.DM trojan

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:33 AM

Posted 25 August 2011 - 03:13 PM

Good evening. :)

Run OTL.exe.

  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    :OTL
    SRV - [2011/07/26 10:53:37 | 000,793,600 | ---- | M] (Axes Array) [Auto | Running] -- C:\WINDOWS\SYSTEM32\OLE232.exe -- (WmdmPmSN32)
    O2 - BHO: (no name) - {031766FC-BE54-4694-A4B7-2BB1BCEFFA67} - C:\WINDOWS\SYSTEM32\atmlib32.dll ()
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - File not found
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)


    :Files
    C:\WINDOWS\SYSTEM32\atmlib32.exe
    C:\WINDOWS\SYSTEM32\OLE232.exe
    C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest
    C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar
    C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest
    C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar
    C:\Documents and Settings\Christy\Local Settings\Application Data\{82D7E440-696D-42D1-A343-6FEBF29F89EA}\chrome\content\overlay.xul
    C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest
    C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar
    C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest
    C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar
    C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest
    C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar
    C:\Documents and Settings\Mitchell\Local Settings\Application Data\{2EC3897C-6632-484A-A17C-2D3999350A35}\chrome\content\overlay.xul
    C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest
    C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar
    C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest
    C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar
    C:\Documents and Settings\Tommy\Local Settings\Application Data\{312C6904-A298-4D0C-A6A9-324A662647E9}\chrome\content\overlay.xul

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click the Run Fix button at the top.
  • Let the program run until it has completed and then reboot the PC when it is done.
Please let me have a copy of the log that appears once OTL has completed it's run.

Will you also run OTL as before and let me have the log produced, once you've completed the above - there will only be one log this time.

So long, and thanks for all the fish.

 

 


#15 fways&greens

fways&greens
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 26 August 2011 - 03:49 AM

OK, here is the first execution log with "Tun Fix":

All processes killed
========== OTL ==========
Error: No service named WmdmPmSN32 was found to stop!
Service\Driver key WmdmPmSN32 not found.
File C:\WINDOWS\SYSTEM32\OLE232.exe not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{031766FC-BE54-4694-A4B7-2BB1BCEFFA67}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{031766FC-BE54-4694-A4B7-2BB1BCEFFA67}\ not found.
File C:\WINDOWS\SYSTEM32\atmlib32.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
========== FILES ==========
File\Folder C:\WINDOWS\SYSTEM32\atmlib32.exe not found.
File\Folder C:\WINDOWS\SYSTEM32\OLE232.exe not found.
C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest moved successfully.
C:\Documents and Settings\Audrey\Application Data\Mozilla\Firefox\Profiles\y1pertpv.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest moved successfully.
C:\Documents and Settings\Christy\Application Data\Mozilla\Firefox\Profiles\3o36bkcu.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Christy\Local Settings\Application Data\{82D7E440-696D-42D1-A343-6FEBF29F89EA}\chrome\content\overlay.xul moved successfully.
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest moved successfully.
C:\Documents and Settings\faker\Application Data\Mozilla\Firefox\Profiles\zyabxz7t.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest moved successfully.
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest moved successfully.
C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\4s1s2wbh.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Mitchell\Local Settings\Application Data\{2EC3897C-6632-484A-A17C-2D3999350A35}\chrome\content\overlay.xul moved successfully.
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome.manifest moved successfully.
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{01784b1b-d164-4c71-a3d5-7cdf4cf62f48}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome.manifest moved successfully.
C:\Documents and Settings\Tommy\Application Data\Mozilla\Firefox\Profiles\kcik7cg0.default\extensions\{ef575ccb-03d6-433c-ae0b-03f7aa3ce9b1}\chrome\xulcache.jar moved successfully.
C:\Documents and Settings\Tommy\Local Settings\Application Data\{312C6904-A298-4D0C-A6A9-324A662647E9}\chrome\content\overlay.xul moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Audrey
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Christy
->Temp folder emptied: 6840 bytes
->Temporary Internet Files folder emptied: 84612 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39997568 bytes
->Flash cache emptied: 456 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: faker
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: John
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Mitchell
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Tommy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Audrey
->Flash cache emptied: 0 bytes

User: Christy
->Flash cache emptied: 0 bytes

User: Default User

User: faker
->Flash cache emptied: 0 bytes

User: John
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: Mitchell
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Tommy
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.26.5 log created on 08262011_044420

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users