Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have something. Don'tr know what


  • This topic is locked This topic is locked
28 replies to this topic

#1 scalelar

scalelar

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 12 November 2011 - 11:00 PM

I originally posted this in another forum and was refered here. Here is the link to the original post. http://www.bleepingcomputer.com/forums/topic427171.html The symptoms are slow response for mozilla and alot of the searches timeout and get redirected to some other search engine. I downloaded Malwarebytes but it found nothing in the scan however it is now blocking outgoing access to malicious websites.
I ran the DDS program but the results weren't as described and the log file was mostly garbage but I can post or re-try if necessary. I did run gmer successfully and am attaching the file.
Any and all help appreciated.

Attached Files


Edited by Orange Blossom, 13 November 2011 - 01:10 AM.
Revealed link. ~ OB


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 17 November 2011 - 11:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427644 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 19 November 2011 - 08:26 AM

Welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 19 November 2011 - 08:42 AM

My browser will launch by itself sometimes and when I have it up it will open a new tab and go to something like somedavinciserver.com/?search=starland+pembroke&subid=0&key=b1f42ef31be7951af15e. I use Superantispyware and when it scan it always finds the same adware even if I don't connect to the web. It says it removes them but they always come back. I noticed by chance that about 14gbytes get written into C:\documents and settings into some hidden folder.

The DDS did not run as advertised. I'll try again if needed.

I do not have the original disks.

Attached Files



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 19 November 2011 - 08:43 AM

Please try OTL as instructed instead of DDS.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 19 November 2011 - 04:36 PM

Ok here are the otl logs. Should I run gmer again? I didn't catch turning off cd emulation before. I ran defogger and it did not ask me to reboot.



OTL logfile created on: 11/19/2011 4:09:19 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dell\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.40% Memory free
3.85 Gb Paging File | 3.13 Gb Available in Paging File | 81.31% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 53.20 Gb Free Space | 57.11% Space Free | Partition Type: NTFS

Computer Name: DELL-C8572738BF | User Name: Dell | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2011/11/19 16:06:24 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dell\My Documents\Downloads\OTL.exe
PRC - [2011/11/11 12:18:57 | 004,617,600 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/03/15 13:44:30 | 000,428,384 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
PRC - [2011/03/15 13:44:28 | 000,650,080 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
PRC - [2010/08/20 14:31:50 | 000,224,104 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RsvcHost.exe
PRC - [2010/08/11 18:04:36 | 001,869,312 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\FactoryTalk Activation\flexsvr.exe
PRC - [2010/05/17 21:07:14 | 001,122,568 | R--- | M] (Acresso Software Inc.) -- C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe
PRC - [2009/11/27 17:33:54 | 000,053,248 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\UsbConsole.exe
PRC - [2009/09/10 15:54:40 | 000,049,152 | ---- | M] (Schneider Automation SAS) -- C:\WINDOWS\system32\NA_Service.exe
PRC - [2009/08/13 13:19:02 | 000,202,016 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
PRC - [2009/07/03 02:46:56 | 000,083,232 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
PRC - [2009/06/11 10:17:30 | 000,902,432 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
PRC - [2009/06/11 10:17:26 | 001,013,024 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
PRC - [2009/06/11 10:16:46 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\RdcyHost.exe
PRC - [2009/06/11 10:16:38 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\NmspHost.exe
PRC - [2009/06/11 10:15:22 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\EventServer.exe
PRC - [2009/06/11 10:15:18 | 000,292,128 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
PRC - [2009/01/09 15:21:40 | 000,651,264 | ---- | M] () -- C:\Program Files\PST\Binaries\RACurrTray.exe
PRC - [2008/12/11 11:23:42 | 000,077,824 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\UsbConnect.exe
PRC - [2008/05/27 18:17:44 | 000,434,176 | ---- | M] (Rockwell Automation, Inc.) -- C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/13 16:03:34 | 000,229,376 | ---- | M] (Schneider Automation) -- C:\WINDOWS\system32\ModbusDrv.exe
PRC - [2007/03/30 15:48:32 | 000,106,496 | ---- | M] (Schneider Electric) -- C:\WINDOWS\system32\NA_XWAY.exe
PRC - [2006/10/29 10:17:14 | 000,397,312 | R--- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2002/12/17 11:28:00 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/19 16:03:31 | 000,063,488 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
MOD - [2011/11/19 16:03:31 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10007.dll
MOD - [2011/10/04 17:15:58 | 001,833,944 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/08/22 04:58:21 | 000,117,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
MOD - [2011/08/22 04:58:21 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
MOD - [2010/08/20 14:22:18 | 000,059,752 | ---- | M] () -- C:\Program Files\Common Files\Rockwell\FTDiagnosticsODBCEnu.dll
MOD - [2010/06/03 12:46:00 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/08/13 13:18:46 | 000,028,448 | ---- | M] () -- C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxOPCMsgs.dll
MOD - [2009/08/13 13:18:34 | 000,014,624 | ---- | M] () -- C:\Program Files\Rockwell Software\RSLinx Enterprise\PKTXMsgs.dll
MOD - [2009/01/09 15:21:40 | 000,651,264 | ---- | M] () -- C:\Program Files\PST\Binaries\RACurrTray.exe
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/05/27 18:16:34 | 000,053,248 | ---- | M] () -- C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\rausbciplib.dll
MOD - [2008/04/14 06:42:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 06:41:52 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (NVSvc)
SRV - File not found [Auto | Running] -- -- (!SASCORE)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/03/15 13:44:30 | 000,428,384 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe -- (PMBDeviceInfoProvider)
SRV - [2010/08/20 14:31:50 | 000,224,104 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\RsvcHost.exe -- (RsvcHost)
SRV - [2010/08/20 14:31:44 | 000,245,096 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe -- (RNADiagReceiver)
SRV - [2010/08/20 14:31:44 | 000,030,056 | ---- | M] (Rockwell Automation Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe -- (RNADiagnosticsService)
SRV - [2010/08/11 18:07:08 | 000,116,072 | ---- | M] (Rockwell Automation, Inc.) [Auto | Stopped] -- C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe -- (FTActivationBoost)
SRV - [2010/08/02 15:15:30 | 000,077,944 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2010/05/17 21:07:14 | 001,122,568 | R--- | M] (Acresso Software Inc.) [Auto | Running] -- C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe -- (FactoryTalk Activation Service)
SRV - [2009/09/10 15:54:40 | 000,049,152 | ---- | M] (Schneider Automation SAS) [Auto | Running] -- C:\WINDOWS\system32\NA_Service.exe -- (NA_Service)
SRV - [2009/08/13 13:19:02 | 000,202,016 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe -- (RSLinxNG)
SRV - [2009/08/13 13:18:58 | 000,091,424 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSLinx Enterprise\LogReceiver.exe -- (LogReceiver)
SRV - [2009/07/22 14:56:04 | 001,971,760 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSLINX\RSLINX.EXE -- (RSLinx)
SRV - [2009/07/03 02:47:52 | 000,152,864 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe -- (Rockwell Tag Server)
SRV - [2009/07/03 02:46:56 | 000,083,232 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe -- (Rockwell HMI Diagnostics)
SRV - [2009/06/11 10:17:30 | 000,902,432 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\RnaDirServer.exe -- (RNADirectory)
SRV - [2009/06/11 10:17:26 | 001,013,024 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe -- (RNADirMultiplexor)
SRV - [2009/06/11 10:16:46 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\RdcyHost.exe -- (RdcyHost)
SRV - [2009/06/11 10:16:38 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Rockwell\NmspHost.exe -- (NmspHost)
SRV - [2009/06/11 10:15:22 | 000,222,496 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Rockwell\EventServer.exe -- (EventServer)
SRV - [2009/06/11 10:15:18 | 000,292,128 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe -- (EventClientMultiplexer)
SRV - [2009/02/16 18:03:22 | 000,202,016 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE -- (Harmony)
SRV - [2008/12/11 11:23:42 | 000,077,824 | ---- | M] (Schneider Automation) [Auto | Running] -- C:\WINDOWS\system32\UsbConnect.exe -- (UsbConnect)
SRV - [2008/06/04 15:04:32 | 000,099,728 | ---- | M] (Rockwell Automation, Inc.) [On_Demand | Stopped] -- C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe -- (dnWhoDisp)
SRV - [2005/11/25 11:11:02 | 000,098,304 | ---- | M] (OPC Foundation) [On_Demand | Stopped] -- C:\WINDOWS\system32\OpcEnum.exe -- (OpcEnum)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/21 19:29:25 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/08/21 19:29:24 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/10/21 11:03:35 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2010/10/21 11:03:35 | 000,143,834 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2010/10/21 11:03:35 | 000,030,630 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2010/10/21 11:03:35 | 000,025,898 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2009/07/22 15:32:00 | 000,119,008 | ---- | M] (Rockwell Software, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\abpicw2k.sys -- (abpicw2k)
DRV - [2009/06/26 18:03:38 | 000,155,440 | ---- | M] (Rockwell Software Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\RSSERIAL.SYS -- (RSSERIAL)
DRV - [2009/06/26 18:03:38 | 000,039,067 | ---- | M] (Rockwell Software Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\RSIKT.SYS -- (RsiKtControl)
DRV - [2006/10/29 10:16:46 | 001,047,816 | R--- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/10/29 10:16:10 | 000,028,672 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbccid.sys -- (USBCCID)
DRV - [2006/10/29 10:12:18 | 001,428,480 | R--- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2006/04/01 00:33:16 | 000,134,272 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/02/24 17:42:54 | 000,053,568 | ---- | M] (Schneider Automation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DuntlwNT.sys -- (Duntlw)
DRV - [2002/12/17 11:32:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/17 11:32:46 | 000,023,436 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/12/17 11:27:32 | 000,241,152 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/11/13 16:38:40 | 000,016,447 | ---- | M] (Rockwell Automation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\RSI-PKTX-A.SYS -- (RSI-PKTX-A)
DRV - [2002/04/23 21:02:26 | 000,038,999 | ---- | M] (Rockwell Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\RSIKTNG.SYS -- (RSLINXNGKtControl)
DRV - [2001/06/21 20:39:02 | 000,073,728 | ---- | M] (Rainbow Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2001/06/21 20:39:02 | 000,020,032 | R--- | M] (Rainbow Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -- (Sntnlusb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-682003330-746137067-1614895754-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-682003330-746137067-1614895754-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/04 17:15:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/17 07:37:04 | 000,000,000 | ---D | M]

[2010/11/08 12:45:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dell\Application Data\Mozilla\Extensions
[2010/11/08 12:45:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dell\Application Data\Mozilla\Firefox\Profiles\lkpo7jwf.default\extensions
[2011/05/10 19:49:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/08 14:56:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/11/08 14:56:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/22 08:21:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/10/04 17:15:59 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/08 14:56:30 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/05/10 19:53:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-682003330-746137067-1614895754-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-682003330-746137067-1614895754-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet File not found
O4 - HKLM..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe (Sony Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [UsbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe (Rockwell Automation, Inc.)
O4 - HKU\S-1-5-21-682003330-746137067-1614895754-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RACurrTray.lnk = C:\Program Files\PST\Binaries\RACurrTray.exe ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-682003330-746137067-1614895754-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D59124D5-442C-44C5-BD9A-E81BB0582D55} http://raiseinstall.rockwellautomation.com/pstoolbox-lite-1-2010/setup.ocx (InstallShield Setup Player V16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9779D940-3CC2-4D32-B9B8-0C0D6BE28EA4}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/07/02 17:03:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##Ccs_server#documents\Shell - "" = AutoRun
O33 - MountPoints2\##Ccs_server#documents\Shell\AutoplaY\cOmmAnD - "" = tyngv.exe
O33 - MountPoints2\##Ccs_server#documents\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Ccs_server#documents\Shell\AutoRun\command - "" = tyngv.exe
O33 - MountPoints2\##Ccs_server#documents\Shell\EXPLoRE\CommaNd - "" = tyngv.exe
O33 - MountPoints2\##Ccs_server#documents\Shell\Open\coMMaND - "" = tyngv.exe
O33 - MountPoints2\{7cc56cbc-7fec-11e0-9b8b-001641b82c98}\Shell - "" = AutoRun
O33 - MountPoints2\{7cc56cbc-7fec-11e0-9b8b-001641b82c98}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7cc56cbc-7fec-11e0-9b8b-001641b82c98}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/11/18 18:47:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2011/11/10 23:01:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/11/10 06:58:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dell\Application Data\Malwarebytes
[2011/11/10 06:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/10 06:58:15 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/10 06:58:12 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/10 06:58:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/09 21:27:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/11/09 20:58:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/11/09 20:55:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2011/11/09 18:32:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Dell\Local Settings\Application Data\e6b4a0b1
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\WINDOWS\System32\
[2011/11/19 16:07:38 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\Dell\Desktop\Shortcut to OTL.lnk
[2011/11/19 16:03:17 | 000,084,438 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/11/19 16:03:17 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\NvwsApps.xml
[2011/11/19 16:02:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/19 08:37:20 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\Dell\My Documents\dds.scr
[2011/11/19 08:34:52 | 000,000,626 | ---- | M] () -- C:\Documents and Settings\Dell\Desktop\Shortcut (2) to dds.lnk
[2011/11/18 21:12:57 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/14 20:00:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/11 20:08:25 | 000,000,871 | ---- | M] () -- C:\Documents and Settings\Dell\Desktop\Shortcut to dds.lnk
[2011/11/11 12:20:46 | 000,466,990 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/11 12:20:46 | 000,080,352 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/10 06:58:16 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/09 07:19:17 | 000,084,438 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/11/08 10:15:46 | 001,331,434 | ---- | M] () -- C:\Documents and Settings\Dell\My Documents\PLC_P200_1908.ACD
[2011/11/07 17:47:30 | 001,329,701 | ---- | M] () -- C:\Documents and Settings\Dell\My Documents\PLC_P200_1908_BAK001.acd
[2011/11/03 07:45:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/10/31 13:43:30 | 000,000,371 | ---- | M] () -- C:\Documents and Settings\Dell\My Documents\okcaser25.bpc
[2011/10/27 13:34:38 | 000,000,371 | ---- | M] () -- C:\Documents and Settings\Dell\My Documents\cpu167Bootp.bpc
[2011/10/27 08:57:58 | 000,000,379 | ---- | M] () -- C:\WINDOWS\Modicon.ini
[2011/10/26 11:49:10 | 000,000,744 | ---- | M] () -- C:\WINDOWS\concept.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/19 16:07:38 | 000,000,626 | ---- | C] () -- C:\Documents and Settings\Dell\Desktop\Shortcut to OTL.lnk
[2011/11/19 08:37:20 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\dds.scr
[2011/11/19 08:34:52 | 000,000,626 | ---- | C] () -- C:\Documents and Settings\Dell\Desktop\Shortcut (2) to dds.lnk
[2011/11/11 20:08:25 | 000,000,871 | ---- | C] () -- C:\Documents and Settings\Dell\Desktop\Shortcut to dds.lnk
[2011/11/10 06:58:16 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/08 10:15:44 | 001,329,701 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\PLC_P200_1908_BAK001.acd
[2011/11/07 17:47:29 | 001,327,288 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\PLC_P200_1908_BAK000.acd
[2011/11/07 12:36:59 | 001,331,434 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\PLC_P200_1908.ACD
[2011/10/31 13:43:30 | 000,000,371 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\okcaser25.bpc
[2011/10/27 13:34:38 | 000,000,371 | ---- | C] () -- C:\Documents and Settings\Dell\My Documents\cpu167Bootp.bpc
[2011/05/14 21:45:54 | 000,013,302 | -HS- | C] () -- C:\Documents and Settings\Dell\Local Settings\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
[2011/05/14 21:45:54 | 000,013,302 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
[2011/05/03 06:38:01 | 000,000,032 | ---- | C] () -- C:\WINDOWS\iVuSeries.INI
[2011/03/22 12:31:51 | 000,000,126 | ---- | C] () -- C:\WINDOWS\jascreg.ini
[2011/03/22 12:29:13 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wh2Robo.dll
[2011/03/05 09:04:06 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\bw320007.dll
[2011/03/05 09:04:05 | 000,307,200 | ---- | C] () -- C:\WINDOWS\System32\CG32.DLL
[2011/03/05 09:04:05 | 000,187,904 | ---- | C] () -- C:\WINDOWS\System32\bocof.dll
[2011/03/05 09:04:05 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\bw32000c.dll
[2011/01/28 09:15:39 | 000,000,379 | ---- | C] () -- C:\WINDOWS\Modicon.ini
[2011/01/23 08:44:51 | 000,000,744 | ---- | C] () -- C:\WINDOWS\concept.ini
[2010/12/25 13:02:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/21 08:51:21 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\usbcnx2.dll
[2010/12/13 08:42:12 | 000,275,280 | ---- | C] () -- C:\WINDOWS\Proreg16.exe
[2010/12/13 08:42:12 | 000,079,552 | ---- | C] () -- C:\WINDOWS\System32\WINTAY16.DLL
[2010/12/13 08:42:12 | 000,016,104 | ---- | C] () -- C:\WINDOWS\System32\Wowgluem.dll
[2010/12/13 08:42:12 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\Wowglue.dll
[2010/12/13 08:42:12 | 000,010,272 | ---- | C] () -- C:\WINDOWS\System32\Superpro.dll
[2010/12/13 08:42:12 | 000,000,433 | ---- | C] () -- C:\WINDOWS\WINTAY.INI
[2010/12/13 08:41:59 | 000,130,041 | ---- | C] () -- C:\WINDOWS\System32\Nslbcw.dll
[2010/12/13 08:41:59 | 000,126,464 | ---- | C] () -- C:\WINDOWS\System32\Ha102w16.dll
[2010/12/13 08:41:59 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\Sentinel.sys
[2010/12/13 08:41:59 | 000,038,544 | ---- | C] () -- C:\WINDOWS\System32\Nwipxspx.dll
[2010/12/13 08:41:59 | 000,007,008 | ---- | C] () -- C:\WINDOWS\System32\Setupkit.dll
[2010/12/13 08:41:59 | 000,003,750 | ---- | C] () -- C:\WINDOWS\9taywin.ini
[2010/11/30 20:37:33 | 000,032,256 | ---- | C] () -- C:\WINDOWS\System32\_UNODBC.dll
[2010/11/08 12:45:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/25 16:15:03 | 000,000,222 | ---- | C] () -- C:\WINDOWS\fw.ini
[2010/10/25 16:15:03 | 000,000,025 | ---- | C] () -- C:\WINDOWS\propbldr.ini
[2010/10/25 15:51:52 | 000,001,313 | ---- | C] () -- C:\WINDOWS\IAB.ini
[2010/10/25 15:32:54 | 000,245,760 | ---- | C] () -- C:\WINDOWS\System32\ABECADDll.dll
[2010/10/20 06:44:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MERuntime.INI
[2010/10/18 07:27:26 | 000,013,888 | ---- | C] () -- C:\WINDOWS\WDTGR.DLL
[2010/10/18 07:27:26 | 000,008,096 | ---- | C] () -- C:\WINDOWS\WCDTGR.DLL
[2010/10/18 07:27:26 | 000,006,656 | ---- | C] () -- C:\WINDOWS\WNETWAY.DLL
[2010/10/18 07:27:26 | 000,004,064 | ---- | C] () -- C:\WINDOWS\WNETWT16.DLL
[2010/10/18 07:27:26 | 000,000,128 | ---- | C] () -- C:\WINDOWS\System32\FTDIUN2K.INI
[2010/08/21 16:41:03 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Dell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/19 09:02:39 | 000,002,593 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/08/09 20:15:35 | 000,037,472 | ---- | C] () -- C:\Documents and Settings\Dell\Application Data\Comma Separated Values (DOS).ADR
[2010/07/30 20:50:08 | 000,000,032 | ---- | C] () -- C:\WINDOWS\EvMoveW.INI
[2010/07/30 20:32:29 | 000,003,770 | ---- | C] () -- C:\WINDOWS\EDS.ini
[2010/07/30 20:27:43 | 000,000,247 | ---- | C] () -- C:\WINDOWS\RLEIcons.ini
[2010/07/30 20:20:28 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Dell\Local Settings\Application Data\fusioncache.dat
[2010/07/30 20:19:26 | 000,000,128 | ---- | C] () -- C:\WINDOWS\rocksoft.ini
[2010/07/15 19:28:31 | 000,084,438 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/07/02 17:07:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/07/02 16:58:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/07/02 09:52:18 | 000,004,313 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/07/02 09:50:42 | 000,371,280 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/07/22 15:30:12 | 000,036,400 | ---- | C] () -- C:\WINDOWS\System32\LINXVDD.DLL
[2009/06/26 18:03:38 | 000,015,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMK485.BIN
[2009/06/26 18:03:38 | 000,009,282 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMKPCL.BIN
[2009/06/26 18:03:38 | 000,009,139 | ---- | C] () -- C:\WINDOWS\System32\drivers\KTXPCL.BIN
[2009/06/26 18:03:38 | 000,007,449 | ---- | C] () -- C:\WINDOWS\System32\drivers\SDDHP.BIN
[2009/06/26 18:03:38 | 000,006,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\slcnewkt.bin
[2009/06/26 18:03:38 | 000,005,433 | ---- | C] () -- C:\WINDOWS\System32\drivers\SDDH.BIN
[2009/06/26 18:03:38 | 000,001,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMKST3.BIN
[2009/06/26 18:03:38 | 000,001,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMKST1.BIN
[2009/06/26 18:03:38 | 000,001,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\KTXST1.BIN
[2009/06/26 18:03:38 | 000,000,301 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMKST0.BIN
[2009/06/26 18:03:38 | 000,000,301 | ---- | C] () -- C:\WINDOWS\System32\drivers\KTXST0.BIN
[2009/06/26 18:03:38 | 000,000,011 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCMKST2.BIN
[2009/06/26 18:03:36 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\KTC.BIN
[2009/06/26 18:03:36 | 000,015,557 | ---- | C] () -- C:\WINDOWS\System32\drivers\KTX485.BIN
[2009/06/26 18:03:36 | 000,007,575 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLPCL.BIN
[2009/06/26 18:03:36 | 000,001,825 | ---- | C] () -- C:\WINDOWS\System32\drivers\KT2ST2.BIN
[2009/06/26 18:03:36 | 000,001,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLST2.BIN
[2009/06/26 18:03:36 | 000,001,801 | ---- | C] () -- C:\WINDOWS\System32\drivers\KT2ST1.BIN
[2009/06/26 18:03:36 | 000,001,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLST1.BIN
[2009/06/26 18:03:36 | 000,000,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\KLST0.BIN
[2009/06/26 18:03:36 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\drivers\KT2ST0.BIN
[2008/11/13 10:33:54 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\FDT100.dll
[2008/05/26 20:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 20:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 06:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/31 08:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/10/29 10:16:46 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/12/21 17:44:12 | 000,015,840 | ---- | C] () -- C:\WINDOWS\System32\Machnm1.exe
[2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 06:00:00 | 000,466,990 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 06:00:00 | 000,080,352 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1999/10/24 04:05:54 | 000,526,872 | ---- | C] () -- C:\WINDOWS\System32\rtdsk40.exe
[1997/02/27 08:04:24 | 000,198,680 | ---- | C] () -- C:\WINDOWS\System32\WL40ENT.DLL
[1997/02/27 08:04:10 | 000,023,064 | ---- | C] () -- C:\WINDOWS\System32\WTR40T.DLL

========== LOP Check ==========

[2010/08/02 15:16:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2010/09/10 16:17:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/05/17 07:38:16 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\FNP
[2010/08/10 07:25:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Rockwell
[2010/08/10 19:13:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rockwell Automation
[2010/12/21 08:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Schneider Electric
[2010/08/10 07:17:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WFCU
[2010/08/17 09:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/08/13 09:07:01 | 000,000,260 | RHS- | M] () -- C:\386SWAP.PAR
[2003/03/18 19:05:50 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\atl71.dll
[2010/07/02 17:03:46 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/02 16:55:47 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/07/02 17:03:46 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/11/09 08:53:41 | 000,000,757 | ---- | M] () -- C:\drives.txt
[2010/08/13 09:07:01 | 000,001,208 | RHS- | M] () -- C:\EVRSI.SYS
[2011/04/29 20:01:31 | 000,073,904 | ---- | M] () -- C:\FLOUR7-04-09.l5k
[2011/04/29 20:01:31 | 000,010,970 | ---- | M] () -- C:\FLOUR7-04-09.log
[2010/07/02 17:03:46 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/07/02 17:03:46 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2003/02/21 04:42:22 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\msvcr71.dll
[2008/04/13 23:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 01:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/11/19 16:02:26 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2010/11/05 14:43:10 | 000,000,246 | ---- | M] () -- C:\pb_Label.csv
[2010/12/21 08:51:58 | 000,000,296 | ---- | M] () -- C:\trace.log
[2011/11/19 16:04:02 | 000,019,370 | ---- | M] () -- C:\WINDOWSPODIUM.LOG
[2010/12/13 08:51:35 | 000,000,073 | -H-- | M] () -- C:\WINTAY.DAT
[2011/08/04 15:43:31 | 001,818,818 | ---- | M] () -- C:\xerror.log

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2006/09/13 00:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPD7R.DLL
[2006/09/13 00:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\CNMPP7R.DLL
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/10/26 21:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.sys /90 >
[2011/09/06 08:20:51 | 001,858,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2010/07/02 09:49:31 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2010/07/02 09:49:30 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2010/07/02 09:49:30 | 000,921,600 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\* >

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 16:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 16:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/10/04 17:15:54 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/10/04 17:15:59 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/08/22 06:56:56 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 16:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 16:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB47610$] -> -> Unknown point type

< End of report >

Attached Files


Edited by etavares, 20 November 2011 - 07:36 AM.
paste OTL log


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 20 November 2011 - 07:41 AM

Hello, scaelar.


Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 21 November 2011 - 09:16 PM

Thanks etavares
Haven't noticed any more of the original symptoms. The hard drive has activity even when nothing is running. I had to zip the log because it is too big.

Thanks Again

Attached Files



#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 22 November 2011 - 06:10 AM

Hello, scaelar.
Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.


File::
C:\Documents and Settings\Dell\Local Settings\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
C:\Documents and Settings\All Users\Application Data\qw0j6rj2eh126b41tbg4561cs4qy0b8ai286q3u8rph5
Folder::
c:\windows\$NtUninstallKB47610$

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.



Step 2

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).
* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.



Step 3


Please attach this file to your reply:

C:\Qoobox\ComboFix-quarantined-files.txt

etavares

Edited by etavares, 22 November 2011 - 06:10 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 22 November 2011 - 08:31 PM

I'd like to try and clean it. I know you said you can't guarantee it can be cleaned but is it possible to tell if it is?

Here are the logs

Attached Files



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 23 November 2011 - 06:24 AM

Did you run Combofix in Step 1 above? That log is missing.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 23 November 2011 - 06:51 AM

Sorry got in a hurry

Attached Files



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 23 November 2011 - 02:34 PM

Hello, scaelar.

Thanks! It went as expected.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 29 32-bit version. Note that if you have 64-bit windows, the default is to use a 32-bit browser. If you modified your IE to use the 64-bit version, make sure to also download the 64-bit version.
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 22
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586-s.exe to install the newest version. If you downloaded the 64-bit version, make sure to install that as well.




Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-682003330-746137067-1614895754-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-682003330-746137067-1614895754-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet File not found
    O33 - MountPoints2\##Ccs_server#documents\Shell - "" = AutoRun
    O33 - MountPoints2\##Ccs_server#documents\Shell\AutoplaY\cOmmAnD - "" = tyngv.exe
    O33 - MountPoints2\##Ccs_server#documents\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\##Ccs_server#documents\Shell\AutoRun\command - "" = tyngv.exe
    O33 - MountPoints2\##Ccs_server#documents\Shell\EXPLoRE\CommaNd - "" = tyngv.exe
    :COmmands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 scalelar

scalelar
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 23 November 2011 - 09:04 PM

Ok
Got that here are the logs.

Attached Files



#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:49 PM

Posted 24 November 2011 - 09:12 PM

Hello, scaelar.

There are still some patched files. Let's see if there are replacements.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    ModbusDrv.exe
    NA_XWAY.exe
    UsbConsole.exe
    
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users