Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Mariofev!mem MBR virus


  • This topic is locked This topic is locked
69 replies to this topic

#1 Murphyville

Murphyville

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 23 December 2011 - 08:25 AM

Hi all. My name is Jenn. I am hoping I can find some help here in removing a very stubborn virus.

My husband's computer was recently infected. All icons disappeared, start menu was disabled, desktop was disabled. It looked like the hard drive had been erased. After some digged and scan after scan, everything is there just hidden. I managed to restore most everything to as before. However, when I run stinger it gives me a root virus of mariofev!mem and roguekiller confirms a mbr infection. I run several scans will various programs but am not knowledgable enough to isolate the service or sys file that is causing the problem. I need some experienced help to read what I am seeing and correct it. This problem began on Dec 14th. DDS will not run in regular or safe mode. Gmer runs but only allows me to check services, registry, and files.

Thanks in advance,

Jenn

Attached Files

  • Attached File  ark.txt   908bytes   3 downloads

Edited by Murphyville, 23 December 2011 - 06:29 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:57 AM

Posted 24 December 2011 - 03:11 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#3 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2011 - 01:23 PM

OTL logfile created on: 12/28/2011 12:48:58 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 523.12 Mb Available Physical Memory | 51.16% Memory free
2.41 Gb Paging File | 2.03 Gb Available in Paging File | 84.34% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 19.63 Gb Free Space | 52.67% Space Free | Partition Type: NTFS

Computer Name: DAVID | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/28 12:48:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
PRC - [2011/11/07 03:26:14 | 000,025,472 | ---- | M] (Uniblue Systems Limited) -- C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/07 17:12:26 | 000,068,648 | R--- | M] (iS3, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2011/06/26 01:45:56 | 000,256,000 | R--- | M] () [Disabled | Stopped] -- C:\aomboFix\pev.3XE -- (PEVSystemStart)
SRV - [2009/05/20 13:18:28 | 000,297,472 | ---- | M] (Amazon.com) [Disabled | Stopped] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/03/07 08:51:50 | 000,024,576 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/18 14:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/05/17 16:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/09/26 11:21:00 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\szkg.sys -- (szkg5)
DRV - [2011/09/26 11:21:00 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\is3srv.sys -- (is3srv)
DRV - [2011/08/16 16:48:30 | 000,059,080 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\szkgfs.sys -- (szkgfs)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010/01/25 05:11:32 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/01/25 05:11:30 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/01/25 05:11:24 | 000,024,960 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/01/25 05:11:22 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandbus.sys -- (Andbus)
DRV - [2007/04/10 16:46:53 | 001,966,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/08/29 03:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 00 94 EC 85 88 C5 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.aol.com/"
FF - prefs.js..extensions.enabledItems: firefox@facebook.com:1.4.3
FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170634FE}:3.2.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {66bd2442-241b-44cd-8c7a-b51037053cdb}:3.2.1.3

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 20:26:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/26 15:37:08 | 000,000,000 | ---D | M]

[2009/09/29 22:46:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/12/17 21:18:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions
[2009/09/29 23:13:21 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2009/10/02 14:15:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/02 20:33:53 | 000,000,000 | ---D | M] (TVersitybar Community Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{66bd2442-241b-44cd-8c7a-b51037053cdb}
[2009/09/29 22:53:12 | 000,000,000 | ---D | M] (ImTranslator) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
[2009/12/13 09:57:07 | 000,000,000 | ---D | M] (شريط أدوات فيس بوك) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\firefox@facebook.com
[2011/10/16 18:10:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/13 12:55:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/30 11:11:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/29 09:20:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/10 10:12:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/15 13:06:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/18 10:49:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/01/08 09:31:42 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\16.0.912.63\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.4_0\

O1 HOSTS File: ([2011/12/16 20:19:07 | 000,000,726 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKCU..\Run: [RegistryBooster] C:\Program Files\Uniblue\RegistryBooster\launcher.exe (Uniblue Systems Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: aolcdn.com ([www] https in Trusted sites)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6958843-632C-44F7-803A-07E242381CCF}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/28 11:43:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = Jj4] -- "C:\Documents and Settings\Owner\Local Settings\Application Data\gsc.exe" -a "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/28 12:48:24 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/12/24 11:36:54 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/24 11:36:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/24 10:30:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Kuyb
[2011/12/24 10:30:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Haveev
[2011/12/23 09:51:08 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/12/18 08:54:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/12/18 08:54:43 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2011/12/18 08:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2011/12/18 08:54:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Uniblue
[2011/12/18 08:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PackageAware
[2011/12/18 06:50:43 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/12/17 20:44:15 | 000,000,000 | --SD | C] -- C:\aomboFix
[2011/12/17 20:31:46 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/12/17 20:27:05 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2011/12/17 10:10:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/12/16 21:10:29 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/12/16 21:10:29 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/12/16 21:10:29 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/12/16 21:10:29 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/12/16 21:08:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/16 21:02:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/16 20:12:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/16 17:36:54 | 000,014,664 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2011/12/16 17:18:09 | 000,096,200 | ---- | C] (CyberDefender Corp.) -- C:\WINDOWS\System32\drivers\CDAVFS.sys
[2011/12/16 14:09:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\STOPzilla
[2011/12/16 14:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2011/12/16 14:08:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/12/16 14:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/12/15 16:44:36 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/12/15 16:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/12/15 11:55:56 | 000,076,696 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011/12/15 11:55:54 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx
[2011/12/15 11:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2011/12/07 17:12:22 | 000,547,880 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2011/12/07 17:12:22 | 000,482,344 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2011/12/07 17:12:22 | 000,457,768 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll
[2011/12/07 17:12:22 | 000,134,184 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll
[2011/12/07 17:12:22 | 000,068,648 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll
[2011/12/07 17:12:22 | 000,030,248 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll
[2011/12/07 17:12:22 | 000,024,616 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2011/12/07 17:12:20 | 000,740,392 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll
[2011/12/07 17:12:20 | 000,392,232 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll
[2011/12/07 17:12:20 | 000,232,488 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll
[2011/12/07 17:12:20 | 000,105,512 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll
[2011/12/07 17:12:20 | 000,101,416 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll
[2011/12/02 03:02:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/12/01 09:01:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/12/01 09:00:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
[2011/12/01 08:58:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/28 12:48:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/12/28 12:44:33 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/12/28 12:44:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/28 12:44:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/26 14:10:01 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-527237240-507921405-682003330-1003UA.job
[2011/12/26 03:10:01 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-527237240-507921405-682003330-1003Core.job
[2011/12/24 11:37:03 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/24 10:32:44 | 000,010,908 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/24 10:32:44 | 000,010,908 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/23 09:50:05 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/12/18 08:54:44 | 000,001,477 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/12/18 08:36:56 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/12/18 08:25:39 | 000,294,195 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/12/18 08:22:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/18 07:47:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\settings.dat
[2011/12/18 07:22:52 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\test.exe
[2011/12/18 07:22:52 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\salvation.exe
[2011/12/18 06:21:07 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/18 06:21:06 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2011/12/17 20:58:40 | 000,000,420 | RHS- | M] () -- C:\boot.ini
[2011/12/17 20:41:09 | 000,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/16 17:43:16 | 000,015,872 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/16 17:38:20 | 000,014,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2011/12/16 17:17:26 | 000,096,200 | ---- | M] (CyberDefender Corp.) -- C:\WINDOWS\System32\drivers\CDAVFS.sys
[2011/12/16 12:55:57 | 000,000,304 | ---- | M] () -- C:\Boot.bak
[2011/12/15 21:04:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Internet Explorer.lnk
[2011/12/15 20:02:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/12/15 11:55:56 | 000,076,696 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011/12/15 11:55:44 | 000,000,051 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/12/07 17:12:22 | 000,547,880 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2011/12/07 17:12:22 | 000,482,344 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2011/12/07 17:12:22 | 000,457,768 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll
[2011/12/07 17:12:22 | 000,134,184 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll
[2011/12/07 17:12:22 | 000,068,648 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll
[2011/12/07 17:12:22 | 000,030,248 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll
[2011/12/07 17:12:22 | 000,024,616 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2011/12/07 17:12:20 | 000,740,392 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll
[2011/12/07 17:12:20 | 000,392,232 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll
[2011/12/07 17:12:20 | 000,232,488 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll
[2011/12/07 17:12:20 | 000,105,512 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll
[2011/12/07 17:12:20 | 000,101,416 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll
[2011/12/06 21:28:53 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/12/04 07:46:59 | 000,433,472 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/04 07:46:59 | 000,068,318 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/01 22:16:59 | 000,921,624 | ---- | M] () -- C:\img2-001.raw
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/24 11:37:03 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/12/24 10:30:23 | 000,010,908 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/24 10:30:23 | 000,010,908 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/18 08:55:10 | 000,000,264 | ---- | C] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/12/18 08:54:44 | 000,001,477 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Uniblue RegistryBooster.lnk
[2011/12/18 08:25:38 | 000,294,195 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/12/18 08:22:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/18 07:47:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\settings.dat
[2011/12/18 07:26:30 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\salvation.exe
[2011/12/18 07:22:52 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\test.exe
[2011/12/17 20:41:09 | 000,160,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/17 10:10:47 | 000,000,304 | ---- | C] () -- C:\Boot.bak
[2011/12/17 10:10:31 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/12/16 21:10:29 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/12/16 21:10:29 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/12/16 21:10:29 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/12/16 21:10:29 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/12/16 21:10:29 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/12/16 20:13:00 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/12/16 20:13:00 | 000,001,886 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft LifeCam.lnk
[2011/12/16 20:13:00 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickBooks Pro 2009.lnk
[2011/12/16 20:12:59 | 000,002,262 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/16 20:12:59 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/12/16 20:12:59 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/12/16 20:12:59 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/16 20:12:59 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/12/16 20:12:59 | 000,000,785 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/12/16 20:12:59 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/12/16 20:12:57 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Default Manager.lnk
[2011/12/16 20:12:56 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/12/16 20:12:56 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2011/12/16 20:07:49 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2011/12/15 21:04:08 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Internet Explorer.lnk
[2011/08/22 12:02:30 | 000,000,051 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/26 15:00:01 | 000,000,031 | ---- | C] () -- C:\WINDOWS\ka.ini
[2010/01/06 17:44:47 | 000,027,588 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/13 10:47:33 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/10/24 15:00:47 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/10/24 14:59:52 | 000,002,552 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2009/10/03 17:56:46 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/03 17:33:40 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/03 17:16:19 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/09/29 22:46:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/29 11:09:03 | 000,000,089 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/09/28 11:47:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/28 11:40:29 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/28 10:36:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/09/28 08:49:21 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/09/28 04:31:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/06/25 16:44:16 | 000,433,472 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/06/25 16:44:16 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/06/25 16:44:15 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/06/25 16:44:14 | 000,068,318 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/06/25 16:43:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/06/25 16:43:52 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/06/25 16:43:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/06/25 16:40:52 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/06/25 16:40:47 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/06/25 16:38:59 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2002/06/25 16:38:58 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2002/06/25 16:38:58 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2002/06/25 16:38:58 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2002/06/25 16:38:58 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2002/06/25 16:37:54 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/06/25 16:37:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2009/09/29 09:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon
[2011/12/15 20:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/08/22 13:09:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/01/30 19:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/08/22 13:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileOpen
[2011/08/22 13:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/12/15 11:56:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2009/09/29 11:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2011/12/17 12:34:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/08/22 13:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/11 12:01:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/12/18 08:54:43 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2011/01/30 19:53:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG10
[2011/05/24 09:53:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FileOpen
[2011/12/24 12:24:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Haveev
[2011/12/24 11:26:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Kuyb
[2009/12/30 14:21:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
[2011/12/18 08:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/06/20 09:25:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\W Photo Studio Viewer
[2011/12/28 12:44:33 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\RegistryBooster.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Imported Photos 00034.jpg:Roxio EMC Stream
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

#4 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 28 December 2011 - 01:30 PM

No notepad doc for extras.txt was created at the end of scan. When I boot the machine now I also receive prompts for some programs to pick a program to open them with saying rundll32.exe has no program associated or cannot be found. I am unable to access security center at this time.

Thanks,

Jenn

#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:57 AM

Posted 28 December 2011 - 03:34 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Change parameters and check the two boxes under Additional Options.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#6 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 December 2011 - 02:08 PM

I was unable to execute any programs due to a rundll issue. Did system restore to Dec 15th. Ran Malwarebytes which removed a trogan.zbot infection. TDSSKiller.exe will not run. Program will not open when clicked on. I have downloaded OLT again and it is running properly now. I will post the olt.txt file and extras.txt file for you to review.

Thank you again for your help.

Jenn

#7 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 December 2011 - 02:11 PM

OTL logfile created on: 12/29/2011 1:34:33 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 428.00 Mb Available Physical Memory | 41.86% Memory free
2.41 Gb Paging File | 1.91 Gb Available in Paging File | 79.17% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 18.62 Gb Free Space | 49.95% Space Free | Partition Type: NTFS

Computer Name: DAVID | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/29 13:34:23 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
PRC - [2009/03/07 08:51:50 | 000,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/17 16:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/13 02:48:32 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/13 02:16:59 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/13 02:16:11 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/05/20 13:18:28 | 000,297,472 | ---- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/03/07 08:51:50 | 000,024,576 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/11/18 14:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/05/17 16:45:33 | 000,271,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010/01/25 05:11:32 | 000,019,968 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandgps.sys -- (AndGps)
DRV - [2010/01/25 05:11:30 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lganddiag.sys -- (AndDiag)
DRV - [2010/01/25 05:11:24 | 000,024,960 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandmodem.sys -- (ANDModem)
DRV - [2010/01/25 05:11:22 | 000,014,336 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgandbus.sys -- (Andbus)
DRV - [2007/04/10 16:46:53 | 001,966,312 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VX1000.sys -- (VX1000)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/08/29 03:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://aol.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 44 A9 40 7C B7 66 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.aol.com/"
FF - prefs.js..extensions.enabledItems: firefox@facebook.com:1.4.3
FF - prefs.js..extensions.enabledItems: {9AA46F4F-4DC7-4c06-97AF-5035170634FE}:3.2.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {66bd2442-241b-44cd-8c7a-b51037053cdb}:3.2.1.3

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 20:26:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/26 15:37:08 | 000,000,000 | ---D | M]

[2009/09/29 22:46:58 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/12/28 19:50:05 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions
[2009/09/29 23:13:21 | 000,000,000 | -H-D | M] (Forecastfox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2009/10/02 14:15:23 | 000,000,000 | -H-D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/02 20:33:53 | 000,000,000 | -H-D | M] (TVersitybar Community Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{66bd2442-241b-44cd-8c7a-b51037053cdb}
[2009/09/29 22:53:12 | 000,000,000 | -H-D | M] (ImTranslator) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
[2009/12/13 09:57:07 | 000,000,000 | -H-D | M] (شريط أدوات فيس بوك) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\84nv88ua.default\extensions\firefox@facebook.com
[2011/10/16 18:10:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/13 12:55:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/30 11:11:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/29 09:20:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/10 10:12:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/15 13:06:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/18 10:49:32 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/01/08 09:31:42 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2011/12/16 20:19:07 | 000,000,726 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SafeOnline BHO) - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll File not found
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; WinTSI 12.11.2009)" -"http://www.lego.com/eng/create/activities/junkbot2/default.asp?x=x" File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: aolcdn.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: aolcdn.com ([www] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E6958843-632C-44F7-803A-07E242381CCF}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/28 11:43:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/29 13:34:19 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/12/29 12:32:26 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/28 19:55:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/12/28 19:55:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/12/28 19:51:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2011/12/28 19:50:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
[2011/12/28 19:48:37 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/12/28 19:46:35 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/12/28 19:46:03 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/12/28 19:43:35 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2011/12/28 19:43:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2011/12/28 17:31:11 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware(3)
[2011/12/24 11:36:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware(2)
[2011/12/18 08:54:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/12/18 08:54:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2011/12/18 08:54:42 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2011/12/18 07:26:30 | 001,578,288 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\salvation.exe
[2011/12/18 06:50:43 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/12/17 20:44:15 | 000,000,000 | ---D | C] -- C:\aomboFix(2)
[2011/12/17 10:10:22 | 000,000,000 | ---D | C] -- C:\cmdcons
[2011/12/16 21:08:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/12/16 21:02:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/12/16 14:08:53 | 000,000,000 | ---D | C] -- C:\Program Files\STOPzilla!
[2011/12/16 14:08:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2011/12/16 14:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/12/15 16:44:36 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/12/15 16:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/12/15 11:55:56 | 000,076,696 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011/12/15 11:55:54 | 000,000,000 | ---D | C] -- C:\Program Files\Prevx
[2011/12/15 11:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2011/12/02 03:02:43 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/12/01 09:01:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/12/01 09:00:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
[2011/12/01 08:58:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/29 13:34:23 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2011/12/29 13:32:59 | 001,578,288 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Owner\My Documents\salvation.exe
[2011/12/29 13:21:11 | 000,000,264 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/12/29 13:21:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/29 12:32:32 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 18:41:36 | 000,012,524 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\k3244ti2634ey6l3p718871ejvvrx8wgk3ii17
[2011/12/28 18:41:36 | 000,012,524 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\k3244ti2634ey6l3p718871ejvvrx8wgk3ii17
[2011/12/28 18:12:52 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-527237240-507921405-682003330-1003UA.job
[2011/12/28 12:44:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/26 03:10:01 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-527237240-507921405-682003330-1003Core.job
[2011/12/24 10:32:44 | 000,010,908 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/24 10:32:44 | 000,010,908 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/18 08:25:39 | 000,294,195 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/12/18 08:22:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/18 07:47:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\settings.dat
[2011/12/18 07:22:52 | 000,089,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\test.exe
[2011/12/17 20:41:09 | 000,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/16 12:55:57 | 000,000,304 | ---- | M] () -- C:\Boot.bak
[2011/12/15 21:04:08 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Internet Explorer.lnk
[2011/12/15 20:02:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/12/15 12:01:16 | 000,000,304 | RHS- | M] () -- C:\boot.ini
[2011/12/15 11:55:56 | 000,076,696 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxrts.sys
[2011/12/15 11:55:44 | 000,000,051 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/12/04 07:46:59 | 000,433,472 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/12/04 07:46:59 | 000,068,318 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/12/01 22:16:59 | 000,921,624 | ---- | M] () -- C:\img2-001.raw
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/29 12:32:32 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/28 18:39:11 | 000,012,524 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\k3244ti2634ey6l3p718871ejvvrx8wgk3ii17
[2011/12/28 18:39:11 | 000,012,524 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\k3244ti2634ey6l3p718871ejvvrx8wgk3ii17
[2011/12/24 10:30:23 | 000,010,908 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/24 10:30:23 | 000,010,908 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5ijxd54pl8kn7ovqu50cp321001m3h1161ic85rs73r13
[2011/12/18 08:55:10 | 000,000,264 | ---- | C] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/12/18 08:25:38 | 000,294,195 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/12/18 08:22:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/12/18 07:47:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\settings.dat
[2011/12/18 07:22:52 | 000,089,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\test.exe
[2011/12/17 20:41:09 | 000,160,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/17 10:10:47 | 000,000,304 | ---- | C] () -- C:\Boot.bak
[2011/12/17 10:10:31 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/12/16 20:12:59 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/12/15 21:04:08 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Internet Explorer.lnk
[2011/08/22 12:02:30 | 000,000,051 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/26 15:00:01 | 000,000,031 | ---- | C] () -- C:\WINDOWS\ka.ini
[2010/01/06 17:44:47 | 000,027,588 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/13 10:47:33 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/10/24 15:00:47 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/10/24 14:59:52 | 000,002,552 | ---- | C] () -- C:\WINDOWS\WAVEMIX.INI
[2009/10/03 17:56:46 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/03 17:33:40 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/03 17:16:19 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX1000.ini
[2009/09/29 22:46:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/29 11:09:03 | 000,000,089 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/09/28 11:47:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/28 11:40:29 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/28 10:36:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/09/28 08:49:21 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/09/28 04:31:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/06/25 16:44:16 | 000,433,472 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/06/25 16:44:16 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/06/25 16:44:15 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/06/25 16:44:14 | 000,068,318 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/06/25 16:43:52 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/06/25 16:43:52 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/06/25 16:43:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/06/25 16:40:52 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/06/25 16:40:47 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/06/25 16:38:59 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2002/06/25 16:38:58 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2002/06/25 16:38:58 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2002/06/25 16:38:58 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2002/06/25 16:38:58 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2002/06/25 16:37:54 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/06/25 16:37:20 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

========== LOP Check ==========

[2009/09/29 09:49:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon
[2011/12/15 20:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/08/22 13:09:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/01/30 19:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/08/22 13:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileOpen
[2011/08/22 13:03:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/12/15 11:56:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2009/09/29 11:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2011/12/28 19:55:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2011/08/22 13:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/11 12:01:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2011/12/28 19:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
[2011/01/30 19:53:03 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\AVG10
[2011/05/24 09:53:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\FileOpen
[2009/12/30 14:21:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\LEGO Company
[2011/12/18 08:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/06/20 09:25:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\W Photo Studio Viewer
[2011/12/29 13:21:11 | 000,000,264 | ---- | M] () -- C:\WINDOWS\Tasks\RegistryBooster.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Owner\My Documents\Imported Photos 00034.jpg:Roxio EMC Stream
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

#8 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 December 2011 - 02:12 PM

OTL Extras logfile created on: 12/29/2011 1:34:33 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 428.00 Mb Available Physical Memory | 41.86% Memory free
2.41 Gb Paging File | 1.91 Gb Available in Paging File | 79.17% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 18.62 Gb Free Space | 49.95% Space Free | Partition Type: NTFS

Computer Name: DAVID | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"FirstRunDisabled" = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Disabled:AVG Installer
"C:\Program Files\TVUPlayer\TVUPlayer.exe" = C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Disabled:TVUPlayer Component


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 26
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E4F8163-9889-4BAB-B2E7-DBAAE248C1EB}" = LG Android Driver
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B28759B8-5FC6-4F56-9C6C-6EDAD36455A9}" = Roxio Media Manager
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Amazon Games & Software Downloader_is1" = Amazon Games & Software Downloader
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.16)" = Mozilla Firefox (3.5.16)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SopCast" = SopCast 3.3.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/22/2011 1:51:31 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:32 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:34 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:34 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/24/2011 3:48:12 PM | Computer Name = DAVID | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19120, fault address 0x00067b98.

Error - 8/24/2011 3:48:18 PM | Computer Name = DAVID | Source = Application Error | ID = 1001
Description = Fault bucket -1739320241.

Error - 8/28/2011 7:29:14 AM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application SopCast.exe, version 3.3.2.1020, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/21/2011 7:54:39 PM | Computer Name = DAVID | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 8/22/2011 1:51:31 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:32 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:34 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/22/2011 1:51:34 PM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application msiexec.exe, version 3.1.4001.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/24/2011 3:48:12 PM | Computer Name = DAVID | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19120, fault address 0x00067b98.

Error - 8/24/2011 3:48:18 PM | Computer Name = DAVID | Source = Application Error | ID = 1001
Description = Fault bucket -1739320241.

Error - 8/28/2011 7:29:14 AM | Computer Name = DAVID | Source = Application Hang | ID = 1002
Description = Hanging application SopCast.exe, version 3.3.2.1020, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/28/2011 8:32:19 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 12/28/2011 8:32:19 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 12/28/2011 8:32:19 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
Environment service which failed to start because of the following error: %%31

Error - 12/28/2011 8:32:19 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 12/28/2011 8:32:19 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips IPSec MRxSmb NetBIOS NetBT OMCI Processor RasAcd Rdbss Tcpip

Error - 12/28/2011 8:32:21 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/29/2011 1:20:12 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/29/2011 1:20:37 PM | Computer Name = DAVID | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips OMCI Processor

Error - 12/29/2011 1:28:15 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/29/2011 2:20:04 PM | Computer Name = DAVID | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:57 AM

Posted 31 December 2011 - 03:09 PM

Good evening. :)

Download Junction.zip by Mark Russinovich from here and save it to your Desktop - you'll need to unzip this one as well.

  • Copy and paste the file junction.exe into the Windows directory (C:\Windows).
  • Go to Start > Run..., copy the following into the textbox and click OK:

    • cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A Command Window will open and the tool will start scanning.
  • When it's done, a text file called log.txt will appear - i'd like a copy of that in your next reply.

So long, and thanks for all the fish.

 

 


#10 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 31 December 2011 - 05:39 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:57 AM

Posted 01 January 2012 - 03:29 PM

Good evening. :)

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:

  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:


    :filefind
    rundll32.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#12 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 01 January 2012 - 03:59 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 15:56 on 01/01/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "rundll32.*"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\rundll32.exe --a---- 182856 bytes [17:32 29/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896
C:\WINDOWS\$NtServicePackUninstall$\rundll32.exe -----c- 33280 bytes [16:43 28/09/2009] [07:56 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf --a---- 33772 bytes [16:26 24/12/2011] [18:15 30/12/2011] 3978945CBEC40ACB810C59D9B6F4609A
C:\WINDOWS\Prefetch\RUNDLL32.EXE-196C30E6.pf --a---- 14626 bytes [18:04 30/12/2011] [18:04 30/12/2011] C0464EF626F17C463B1A200DA02BE50A
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2C7B5C4A.pf --a---- 19582 bytes [19:09 29/12/2011] [19:10 29/12/2011] 362AC82A65F2FCDD1B79691ACBC0917A
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf --a---- 13094 bytes [23:56 28/12/2011] [23:56 28/12/2011] FEE675D825E314D6383D6665D807B5BF
C:\WINDOWS\Prefetch\RUNDLL32.EXE-47FAA399.pf --a---- 24796 bytes [18:04 30/12/2011] [18:04 30/12/2011] E379258D68888AC6746E1F914BB6FD08
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4B8C3910.pf --a---- 41228 bytes [18:41 12/11/2011] [23:07 30/12/2011] A5F56715090EB4D266D5E577E4B4A31F
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe ------- 33280 bytes [07:56 04/08/2004] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\rundll32.exe --a---- 33280 bytes [21:45 25/06/2002] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6

-= EOF =-

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:57 AM

Posted 02 January 2012 - 04:28 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#14 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 02 January 2012 - 08:21 PM

Thanks, will post the log once scan completes.

Edited by Murphyville, 02 January 2012 - 08:26 PM.


#15 Murphyville

Murphyville
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 03 January 2012 - 12:13 PM

My apologies, Combofix will not run. I did rename the program when downloading. I get to the prompt stating combofix will now scan and it could take up to 10 mins. Everything locks at that point. I have tried to run in regular mode, safe mode with networking, and safe mode, same problem each time. Firewall was disabled in regular mode and ther is no AV installed currently. The program itself runs really slow in any of the modes. The computer redirects websites and the windows flash randomly.

Thanks,

Jenn

Edited by Murphyville, 03 January 2012 - 12:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users