Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iLivid and SearchQu Malware Infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 CC Girl

CC Girl

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 26 January 2012 - 11:38 PM

Hello Bleeping Computer,

I believe that some of the other users of this computer have downloaded the iLivid/SearchQu Malware on to the system last night. I turned the computer on today and noticed that iLivid was downloaded and when I opened my Chrome Internet browser to search for information on the programme, I noticed that my homepage had been changed to SearchQu.com. After doing a cursory read of a few posts about the Malware on some techsupport forums, I decided to login to Bleeping Computer to ask for the community's assistance in getting it removed.
My understanding is that it is not affecting my computer much in any other way, for example, no huge amounts of data going through the internet as one would expect in a trojan, no error codes, etcetera. Although, I have been keeping the computer usage to a minimum until I get a response from you. The only thing I have done in trying to remove the Malware is to change my homepage back from the SearchQu link in Chrome. I have not even tried to remove the programme from the Add/Remove Programme option from Control Panel. I also have not opened the Internet Explorer browser that was most probably used to download the Malware but, I heard from another of the computer users that it was consistently closing itself down last night (I am not sure if it is related but it probably is so, I will stick to using Chrome for now).

I read the Preparation Guide on the forum and have pasted the dds.text file to this post and have attached the attach.txt and ark.txt files as requested.

Please assist me in the various steps needed to get rid of these and any other unnecessary programmes.

Thank you in advance,

CC Girl




.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by Computer at 9:15:31 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.26 [GMT 5.5:30]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Sistem Tools\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Sistem Tools\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Sistem Tools\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\Sistem Tools\Avira\AntiVir Desktop\avshadow.exe
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\Sistem Tools\Avira\TB\BitTorrent.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.searchqu.com/406
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\window~4\datamngr\BROWSE~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - g:\sistem tools\ccleaner\MegaIEMn.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\window~4\datamngr\toolbar\searchqudtx.dll
TB: {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\computer\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [avgnt] "g:\sistem tools\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DATAMNGR] c:\progra~1\window~4\datamngr\DATAMN~1.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
TCP: Interfaces\{0A2DC3BF-A864-4636-AC61-6A3013C07BA4} : NameServer = 192.168.1.1,192.168.1.10
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\window~4\datamngr\datamngr.dll c:\progra~1\window~4\datamngr\IEBHO.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;g:\sistem tools\avira\antivir desktop\avgio.sys [2010-4-21 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\sistem tools\avira\antivir desktop\sched.exe [2010-4-21 136360]
R2 AntiVirService;Avira AntiVir Guard;g:\sistem tools\avira\antivir desktop\avguard.exe [2010-4-21 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-21 66616]
S2 aqtxxic;Time Image;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-8 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-8 136176]
.
=============== Created Last 30 ================
.
2012-01-26 07:47:07 -------- d-----w- c:\documents and settings\computer\AppData
2012-01-26 07:47:02 -------- d-----w- c:\documents and settings\computer\local settings\application data\Ilivid Player
2012-01-26 07:47:01 -------- d-----w- c:\documents and settings\computer\application data\searchquband
2012-01-26 07:41:13 -------- d--h--w- c:\documents and settings\all users\application data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
2012-01-26 07:40:22 -------- d-----w- c:\program files\iLivid
2012-01-26 07:38:45 -------- d-----w- c:\documents and settings\computer\application data\searchqutoolbar
2012-01-26 07:37:52 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-01-26 07:37:47 -------- d-----w- c:\program files\Windows iLivid Toolbar
2012-01-26 07:37:04 -------- d-----w- c:\documents and settings\computer\local settings\application data\PackageAware
.
==================== Find3M ====================
.
.
============= FINISH: 9:16:13.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 27 January 2012 - 09:31 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________


Running aswMBR.exe

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. aswMBR log file.
3. OTL & Extras.txt logs.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 28 January 2012 - 12:04 AM

Agent ST,

Thank you for the prompt response! I look forward to your support and assistance.

1. I noticed that your reply mentions that the aswMBR.exe is around 1.8MB but the one I downloaded from your link was around 4.5MB. I still downloaded and ran the .exe but I thought I should mention it in the event that I downloaded the wrong file.
I have made a request for some comments later in the post (section 4.)

2. Pasted Below is the aswMBR.txt log file

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-28 09:49:16
-----------------------------
09:49:16.421 OS Version: Windows 5.1.2600 Service Pack 2
09:49:16.421 Number of processors: 1 586 0x303
09:49:16.437 ComputerName: DR-00X6GOZGYDZD UserName: Computer
09:49:18.390 Initialize success
09:49:46.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
09:49:46.562 Disk 0 Vendor: Maxtor_6 YAR4 Size: 39082MB BusType: 3
09:49:46.593 Disk 0 MBR read successfully
09:49:46.593 Disk 0 MBR scan
09:49:46.593 Disk 0 Windows XP default MBR code
09:49:46.609 Disk 0 Partition 1 80 (A) 0B FAT32 MSDOS5.0 6016 MB offset 63
09:49:46.609 Disk 0 Partition - 00 0F Extended LBA 33063 MB offset 12321855
09:49:46.625 Disk 0 Partition 2 00 0B FAT32 MSWIN4.1 4996 MB offset 12321918
09:49:46.625 Disk 0 Partition - 00 05 Extended 8322 MB offset 22555260
09:49:46.640 Disk 0 Partition 3 00 0B FAT32 MSWIN4.1 8322 MB offset 22555323
09:49:46.640 Disk 0 Partition - 00 05 Extended 10236 MB offset 49833630
09:49:46.656 Disk 0 Partition 4 00 0B FAT32 MSDOS5.0 10236 MB offset 39600288
09:49:46.656 Disk 0 Partition - 00 05 Extended 9507 MB offset 87843420
09:49:46.671 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 9507 MB offset 60565113
09:49:47.140 Disk 0 scanning sectors +80035830
09:49:47.171 Disk 0 scanning C:\WINDOWS\system32\drivers
09:50:00.062 Service scanning
09:50:01.875 Modules scanning
09:50:23.343 Disk 0 trace - called modules:
09:50:23.359 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys
09:50:23.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8131e3d8]
09:50:23.359 3 CLASSPNP.SYS[f956905b] -> nt!IofCallDriver -> \Device\0000005c[0x8131ef18]
09:50:23.359 5 ACPI.sys[f94df620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0[0x8131d030]
09:50:23.359 Scan finished successfully
09:50:51.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Computer\Desktop\Removal\MBR.dat"
09:50:51.156 The log file has been saved successfully to "C:\Documents and Settings\Computer\Desktop\Removal\aswMBR.txt"

3. Pasted below is the OTL.txt log file followed by the Extras.txt log file

OTL logfile created on: 1/28/2012 9:51:17 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Computer\Desktop\Removal
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 60.11 Mb Available Physical Memory | 24.29% Memory free
631.79 Mb Paging File | 241.28 Mb Available in Paging File | 38.19% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 5.86 Gb Total Space | 1.45 Gb Free Space | 24.77% Space Free | Partition Type: FAT32
Drive D: | 4.87 Gb Total Space | 2.39 Gb Free Space | 49.13% Space Free | Partition Type: FAT32
Drive E: | 8.12 Gb Total Space | 1.79 Gb Free Space | 22.01% Space Free | Partition Type: FAT32
Drive F: | 9.99 Gb Total Space | 2.29 Gb Free Space | 22.97% Space Free | Partition Type: FAT32
Drive G: | 9.28 Gb Total Space | 2.29 Gb Free Space | 24.63% Space Free | Partition Type: NTFS

Computer Name: DR-00X6GOZGYDZD | User Name: Computer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/28 08:59:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Computer\Desktop\Removal\OTL.exe
PRC - [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/12/06 15:47:58 | 001,694,608 | ---- | M] (Bandoo Media, inc) -- C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe
PRC - [2011/06/28 18:09:58 | 000,269,480 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/27 18:04:10 | 000,136,360 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/04 17:32:26 | 000,281,768 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/06/03 05:29:46 | 000,587,568 | ---- | M] () -- G:\Sistem Tools\Avira\TB\BitTorrent.exe
PRC - [2010/01/14 22:11:02 | 000,076,968 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avshadow.exe
PRC - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/04/01 09:52:06 | 001,368,064 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/20 11:05:36 | 003,767,792 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\pdf.dll
MOD - [2012/01/20 11:05:36 | 000,411,120 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\ppgooglenaclpluginchrome.dll
MOD - [2012/01/20 11:04:12 | 000,122,880 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avutil-51.dll
MOD - [2012/01/20 11:04:10 | 000,222,208 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avformat-53.dll
MOD - [2012/01/20 11:04:08 | 001,746,432 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avcodec-53.dll
MOD - [2012/01/20 07:44:42 | 008,593,056 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\gcswf32.dll
MOD - [2010/06/03 05:29:46 | 000,587,568 | ---- | M] () -- G:\Sistem Tools\Avira\TB\BitTorrent.exe
MOD - [2010/01/28 13:58:00 | 000,355,688 | ---- | M] () -- G:\Sistem Tools\Avira\AntiVir Desktop\sqlite3.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/06/28 18:09:58 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 18:04:10 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2004/08/04 00:56:58 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011/06/28 18:09:58 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 18:09:58 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:20 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:50 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2004/08/03 23:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 22:41:46 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/03 22:41:46 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 22:41:44 | 000,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2004/08/03 22:41:40 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/03 22:41:40 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/03 22:41:40 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/08/03 22:41:38 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/03/09 14:16:42 | 000,400,640 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/12/31 09:28:46 | 000,069,504 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2002/10/15 00:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)
DRV - [2002/09/20 07:23:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
IE - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)


[2010/06/09 06:46:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Computer\Application Data\Mozilla\Extensions
[2010/06/09 06:46:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Computer\Application Data\Mozilla\Firefox\Profiles\k0ohnfoq.default\extensions

========== Chrome ==========

CHR - default_search_provider: Search Results (Enabled)
CHR - default_search_provider: search_url = http://dts.search-results.com/sr?src=crb&appid=282&systemid=406&sr=0&q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2001/08/23 11:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - G:\Sistem Tools\CCleaner\MegaIEMn.dll File not found
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\..\Toolbar\WebBrowser: (no name) - {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] G:\Sistem Tools\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A2DC3BF-A864-4636-AC61-6A3013C07BA4}: NameServer = 192.168.1.1,192.168.1.10
O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/21 11:11:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/08/26 12:58:34 | 000,000,645 | ---- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [1999/01/12 16:46:16 | 000,000,406 | ---- | M] () - E:\AUTOEXEC.DOS -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/28 09:04:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Computer\Recent
[2012/01/27 09:15:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Computer\Start Menu\Programs\Administrative Tools
[2012/01/27 09:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Desktop\Removal
[2012/01/26 13:17:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\AppData
[2012/01/26 13:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Local Settings\Application Data\Ilivid Player
[2012/01/26 13:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Application Data\searchquband
[2012/01/26 13:11:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
[2012/01/26 13:11:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
[2012/01/26 13:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2012/01/26 13:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Application Data\searchqutoolbar
[2012/01/26 13:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2012/01/26 13:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2012/01/26 13:07:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Local Settings\Application Data\PackageAware
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/28 09:02:22 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/28 08:25:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/28 08:24:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/28 08:24:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/27 16:09:02 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2111687655-839522115-1004Core1cc8d81819a2604.job
[2012/01/24 19:12:48 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/26 10:39:02 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2010/06/09 06:46:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/22 13:21:49 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/21 15:32:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/04/21 12:18:19 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\igfxzoom.exe
[2010/04/21 11:14:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/04/21 11:08:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/04/21 10:57:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/04/21 10:56:50 | 000,111,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/08/29 03:57:58 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2002/03/25 20:02:14 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2001/08/23 12:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:30:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 11:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:30:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 11:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 11:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >


OTL Extras logfile created on: 1/28/2012 9:51:17 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Computer\Desktop\Removal
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 60.11 Mb Available Physical Memory | 24.29% Memory free
631.79 Mb Paging File | 241.28 Mb Available in Paging File | 38.19% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 5.86 Gb Total Space | 1.45 Gb Free Space | 24.77% Space Free | Partition Type: FAT32
Drive D: | 4.87 Gb Total Space | 2.39 Gb Free Space | 49.13% Space Free | Partition Type: FAT32
Drive E: | 8.12 Gb Total Space | 1.79 Gb Free Space | 22.01% Space Free | Partition Type: FAT32
Drive F: | 9.99 Gb Total Space | 2.29 Gb Free Space | 22.97% Space Free | Partition Type: FAT32
Drive G: | 9.28 Gb Total Space | 2.29 Gb Free Space | 24.63% Space Free | Partition Type: NTFS

Computer Name: DR-00X6GOZGYDZD | User Name: Computer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2997:TCP" = 2997:TCP:*:Disabled:nxttjoqo

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent
"G:\Sistem Tools\Avira\TB\BitTorrent.exe" = G:\Sistem Tools\Avira\TB\BitTorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe" = C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe:*:Enabled:DTX broker -- (Visicom Media Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}" = Mega Manager
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{ADFBA869-0359-4C24-8CEF-DB0FBE90B987}" = Mega Manager
"{C1611681-E8F9-4C89-A6A4-36DD0DA6E089}_is1" = DepositFiles FileManager 0.9.9.203
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"ie8" = Windows Internet Explorer 8
"iLivid" = iLivid
"Windows Searchqu Toolbar" = Windows iLivid Toolbar
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1957994488-2111687655-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/26/2012 9:39:27 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:01 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:01 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:01 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:03 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:04 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:04 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:04 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:07 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/26/2012 10:14:07 AM | Computer Name = DR-00X6GOZGYDZD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/21/2012 11:24:39 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/22/2012 8:08:44 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/24/2012 12:13:35 AM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/24/2012 9:28:38 AM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/24/2012 11:52:14 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/25/2012 9:56:47 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/26/2012 4:57:51 AM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/26/2012 9:39:16 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126

Error - 1/26/2012 11:45:41 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7016
Description = The SmartLinkService service has reported an invalid current state
0.

Error - 1/27/2012 10:55:12 PM | Computer Name = DR-00X6GOZGYDZD | Source = Service Control Manager | ID = 7023
Description = The Time Image service terminated with the following error: %%126


< End of report >

4. The computer is showing no noticeable signs of the Malware and all my interactions with it have been indistinguishable from a healthy computer. I have still not touched the Internet Explorer browser and if you think it is okay I would like to download an alternative browser (probably Firefox since I have Chrome) to replace the Internet Explorer that some other users of the computer use. I usually use two browsers since some are better for somethings than others and some users seem to prefer one over the other. Although the Malware problem has not been solved I was hoping that some of the users of the computer could use the internet for basic needs (mainly email and news but no downloading or other such activities) since I have noticed no problems with using the internet on Chrome. I have read on some other forums (for the iLivid et al Malware, posted by other people) that this particular Malware is not very insidious so I was hoping that you would okay the limited use of the internet. I'll wait for your opinion before doing so though.

Thank you once again for the reply. I will wait for a response from you before continuing with the process of getting rid of the Malware.

CC Girl

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 28 January 2012 - 03:48 AM

Hi!

I noticed that your reply mentions that the aswMBR.exe is around 1.8MB but the one I downloaded from your link was around 4.5MB. I still downloaded and ran the .exe but I thought I should mention it in the event that I downloaded the wrong file.

Very good observation.

You know you're the first person to mention that to me. It looks like it's time for me to update that tidbit to reflect the new file size.

I appreciate you letting me know that.

When I work with users on the forum, I tend to like to have them do the least amount of work on the computer (aside from the tools and utilities I ask them to run) this is to ensure that nothing else gets onto the computer and we don't end up with a complete mess.

In your case, I'm going to suggest you do not, as you have an outdated Service Pack install which is leaving you especially susceptible to an infection.

P2P Warning!

BitTorrent, DepositFiles FileManager, & MegaManager

I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

  • DepositFiles FileManager 0.9.9.203
  • MegaManager
  • BitTorrent

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them, you MUST NOT use them until your computer is clean.


NEXT:


Open up Google Chrome.

Click the Wrench.

Go to Options.

Under Home Page change the Search page to a different website or click on Use the New Tab page.

I personally use the Use the New Tab page, that way I'm not waiting for any websites to load when I launch Google Chrome.


Remove Program
We need to remove a program. To do this please do the following:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
  • iLivid
  • Windows iLivid Toolbar
  • Google Toolbar for Internet Explorer <== If you don't use it, then I suggest removing it.

Note: If the Google Toolbar for Internet Explorer isn't in Add/Remove programs please visit this link here for more information on how to remove it.

Link: http://support.google.com/toolbar/bin/answer.py?hl=en&answer=9231

NEXT:



OTL Fix

We need to run an OTL Fix

If you choose not to remove the Google Toolbar please let me know, as the script below will rip contents of it.

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :Processes
    KILLALLPROCESSES
    :OTL
    IE - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/406
    O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
    O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
    O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - G:\Sistem Tools\CCleaner\MegaIEMn.dll File not found
    O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKU\S-1-5-21-1957994488-2111687655-839522115-1004\..\Toolbar\WebBrowser: (no name) - {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - No CLSID value found.
    O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc)
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc)
    O20 - AppInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc)
    [2012/01/26 13:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Local Settings\Application Data\Ilivid Player
    [2012/01/26 13:17:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Application Data\searchquband
    [2012/01/26 13:11:13 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
    [2012/01/26 13:11:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
    [2012/01/26 13:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
    [2012/01/26 13:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Application Data\searchqutoolbar
    [2012/01/26 13:07:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
    [2012/01/26 13:07:47 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "2997:TCP"=-
    :Files
    C:\Program Files\Google\GoogleToolbarNotifier\
    C:\Program Files\Windows iLivid Toolbar
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    [EMPTYJAVA]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.51.0.1200) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. OTL fix log.
3. MalwareBytes' Anti-Malware log file.
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 28 January 2012 - 04:58 AM

Thank you for the reply Agent ST and thank you for making me feel meticulous in noticing the file size, I could even be a stickler and suggest you update the version of the Malwarebytes file as well while you're updating your information. You are welcome.

1. I have followed your instructions and have them listed below however, I did not change the home page settings in Chrome since I had already done that but I did go through the settings and make some adjustments to the search options (the setting that allows you to change the right click > 'Search ... for ...' function, it seems that that had been changed). I removed all three of the mentioned programmes from Add/Remove... in Control Panel. As suggested, I will wait until the computer is clean before making changes or using the system to its fullest.

2. Here is the OTL log:

All processes killed
========== SERVICES/DRIVERS ==========
========== PROCESSES ==========
========== OTL ==========
HKU\S-1-5-21-1957994488-2111687655-839522115-1004\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ deleted successfully.
File C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D717F81-9148-4f12-8568-69135F087DB0}\ not found.
C:\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
File C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf00e119-21a3-4fd1-b178-3b8537e75c92}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf00e119-21a3-4fd1-b178-3b8537e75c92}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{99079a25-328f-4bd4-be04-00955acaa0a7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99079a25-328f-4bd4-be04-00955acaa0a7}\ not found.
File C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\10 deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1957994488-2111687655-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{6AA40521-14E7-4B1D-B1B4-98528C1388C9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6AA40521-14E7-4B1D-B1B4-98528C1388C9}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DATAMNGR not found.
File C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe not found.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll deleted successfully.
File pInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\datamngr.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll deleted successfully.
File pInit_DLLs: (C:\PROGRA~1\WINDOW~4\Datamngr\IEBHO.dll) -C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll not found.
C:\Documents and Settings\Computer\Local Settings\Application Data\Ilivid Player folder moved successfully.
C:\Documents and Settings\Computer\Application Data\searchquband folder moved successfully.
Folder C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}\ not found.
Folder C:\Documents and Settings\All Users\Start Menu\Programs\iLivid\ not found.
Folder C:\Program Files\iLivid\ not found.
Folder C:\Documents and Settings\Computer\Application Data\searchqutoolbar\ not found.
C:\Documents and Settings\All Users\Application Data\boost_interprocess\C0BAA5ADCDDBCC01 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\boost_interprocess folder moved successfully.
C:\Program Files\Windows iLivid Toolbar\Datamngr folder moved successfully.
C:\Program Files\Windows iLivid Toolbar folder moved successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SETA.tmp deleted successfully.
C:\WINDOWS\002262_.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2997:TCP deleted successfully.
========== FILES ==========
C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100 folder moved successfully.
C:\Program Files\Google\GoogleToolbarNotifier folder moved successfully.
File\Folder C:\Program Files\Windows iLivid Toolbar not found.
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
The Cacls command can be run only on disk drives that use the NTFS file system.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.bat deleted successfully.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.bat deleted successfully.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Computer
->Temp folder emptied: 4032440 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 16191542 bytes
->Google Chrome cache emptied: 4956901 bytes
->Flash cache emptied: 343 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 88456 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 24.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Computer
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Computer

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01282012_143353

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


3. Here is the Malwarebytes log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.03

Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
Computer :: DR-00X6GOZGYDZD [administrator]

1/28/2012 2:57:04 PM
mbam-log-2012-01-28 (14-57-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 154075
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


4. The computer still 'feels' healthy and although the usage is limited, I am keeping a close eye on it but I have not been able to find any noticeable problems (I am still not using Internet Explorer and will continue to not do so until the computer is clean).

Thank you Agent ST,

CC Girl

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 28 January 2012 - 05:03 AM

Hi CC Girl!

Thank you for the reply Agent ST and thank you for making me feel meticulous in noticing the file size, I could even be a stickler and suggest you update the version of the Malwarebytes file as well while you're updating your information. You are welcome.

I've updated both of my instructions accorndingly. Thanks again for making me aware.

Lets see what this scan below finds.

Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon.
They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
    Posted Image
    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 28 January 2012 - 10:37 AM

Thank you for the prompt response.

Pasted below is the Combofix log (I did get a pop-up message from combofix just before the scan saying that it could not find the Windows Recovery Console and asked whether it would like combofix to install/update it and I clicked on "No" thinking that it would mean that the scan would not take place and then I could ask you about it but, it just continued and finished the scan)

Other than that Agent ST, everything on the computer still 'feels' perfectly normal.

CC Girl




ComboFix 12-01-28.01 - Computer 01/28/2012 20:43:33.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.124 [GMT 5.5:30]
Running from: c:\documents and settings\Computer\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\WindowsUpdate.log
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-28 )))))))))))))))))))))))))))))))
.
.
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\documents and settings\Computer\Application Data\Malwarebytes
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 09:13 . 2011-12-10 09:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 09:03 . 2012-01-28 09:03 -------- d-----w- C:\_OTL
2012-01-26 07:47 . 2012-01-26 07:47 -------- d-----w- c:\documents and settings\Computer\AppData
2012-01-26 07:37 . 2012-01-26 07:37 -------- d-----w- c:\documents and settings\Computer\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-16 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"avgnt"="g:\sistem tools\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\Sistem Tools\\Avira\\TB\\BitTorrent.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\sistem tools\Avira\AntiVir Desktop\sched.exe [4/21/2010 12:57 PM 136360]
S2 aqtxxic;Time Image;c:\windows\system32\svchost.exe -k netsvcs [8/23/2001 11:30 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aqtxxic
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2111687655-839522115-1004Core1cc8d81819a2604.job
- c:\documents and settings\Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 07:59]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{0A2DC3BF-A864-4636-AC61-6A3013C07BA4}: NameServer = 192.168.1.1,192.168.1.10
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-28 20:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
g:\sistem tools\Avira\AntiVir Desktop\avguard.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
g:\sistem tools\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-28 20:55:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-28 15:25
.
Pre-Run: 1,696,718,848 bytes free
Post-Run: 1,638,244,352 bytes free
.
- - End Of File - - 10970DD795DF9882DA79EC51C20CFB87

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 29 January 2012 - 02:49 AM

Hi CC Girl!

When it asks you to install the Recovery Console again, please allow it to do so.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
Driver::
aqtxxic
NetSvc::
aqtxxic

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 29 January 2012 - 05:24 AM

Agent ST,

1. I did the CFScript.txt Combofix scan and allowed it to download the Windows Recovery Console successfully however mid-way through the scan a Windows Pop-up, popped up. It read: "PEV.exe has encountered a problem and needs to close. We are sorry for the inconvenience..." with two options at the bottom "Send error report" and "Don't send". I would have clicked on the "Don't send" button but I noticed that Comobofix was still scanning in the background so, I waited to see if the scan would finish by itself and as it did it decided to reboot the system and hence the pop-up was automatically closed. However, the scan finished and I have pasted the log below:


ComboFix 12-01-29.01 - Computer 01/29/2012 13:59:50.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247.128 [GMT 5.5:30]
Running from: c:\documents and settings\Computer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Computer\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AQTXXIC
-------\Service_aqtxxic
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-29 )))))))))))))))))))))))))))))))
.
.
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\documents and settings\Computer\Application Data\Malwarebytes
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-28 09:13 . 2012-01-28 09:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-28 09:13 . 2011-12-10 09:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-28 09:03 . 2012-01-28 09:03 -------- d-----w- C:\_OTL
2012-01-26 07:47 . 2012-01-26 07:47 -------- d-----w- c:\documents and settings\Computer\AppData
2012-01-26 07:37 . 2012-01-26 07:37 -------- d-----w- c:\documents and settings\Computer\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-16 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"avgnt"="g:\sistem tools\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\Sistem Tools\\Avira\\TB\\BitTorrent.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\sistem tools\Avira\AntiVir Desktop\sched.exe [4/21/2010 12:57 PM 136360]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2111687655-839522115-1004Core1cc8d81819a2604.job
- c:\documents and settings\Computer\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 07:59]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{0A2DC3BF-A864-4636-AC61-6A3013C07BA4}: NameServer = 192.168.1.1,192.168.1.10
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-29 14:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
g:\sistem tools\Avira\AntiVir Desktop\avguard.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
g:\sistem tools\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-29 14:11:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-29 08:41
ComboFix2.txt 2012-01-28 15:25
.
Pre-Run: 1,634,988,032 bytes free
Post-Run: 1,560,748,032 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - FA680CFF6F9C8283FA4FCF37406CD2F1

2. Pasted Below is the mbam log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.28.06

Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
Computer :: DR-00X6GOZGYDZD [administrator]

1/29/2012 2:18:41 PM
mbam-log-2012-01-29 (14-18-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 153949
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

3. Pasted below is the ESETScan log:

C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062116.exe a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062117.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062119.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062120.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062121.dll a variant of Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application
G:\Sistem Tools\Exes\Setup_FreeFlvConverterN.exe Win32/Adware.Toolbar.Dealio application

4. Pasted Below is the security check log:

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 10.0.45.2 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````


Thank you once again for the assistance.

CC Girl

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 29 January 2012 - 05:50 AM

Hi!

Thanks for the information regarding the ComboFix scan script.

These threat(s) below are currently in Quarantine/System Restore and shall be removed when we clean up our tools later on.

C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062116.exe a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062117.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062119.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062120.dll a variant of Win32/Toolbar.SearchSuite application
C:\System Volume Information\_restore{FB93D995-3A4F-4588-B742-6214A9444E52}\RP609\A0062121.dll a variant of Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll a variant of Win32/Toolbar.SearchSuite application
C:\_OTL\MovedFiles\01282012_143353\C_Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll a variant of Win32/Toolbar.SearchSuite application


____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.


NEXT


Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Update Windows XP
Service Pack 3 (SP3)
It would be in your best interest to install this service pack. This update includes all previously released updates for your system.
Microsoft advises that SP1 or SP1a needs to be installed before installing this update.
Attention: The SP3 download is very large! Based on your Internet connection... be prepared, it could take hours to download!!
Alternately, you could see if a friend or family member has the SP3 update on CD or order it from MS for a fee ... based on your location.

This will be a 2 step process...
The 1st step in this process is to apply Service Pack 3 (SP3) for Windows XP. This update, includes security fixes, to protect your computer.
The 2nd step is to apply all the critical updates and patches since SP3 was released.
Note: If at any time during these steps, you experience problems with your computer...:stop: ...Do not continue with the steps and post a description of the problem.
  • First
  • Obtain Windows XP Service Pack 3 from the Microsoft Download Center
  • Click the Download ...button. Choose "Save" at the prompt...and save the file to your desktop.
  • Double click the "WindowsXP-KB936929-SP3-x86-ENU.exe" file on your desktop to install the update.
    When the installation has completed successfully...
  • ! IMPORTANT ! reboot your computer (normally) before proceeding to the next step.
Second
  • Now...Go to: Windows Update and install the Critical Updates.
  • Press the "Express"...button to have all "critical" updates shown.
  • Make sure all critical updates and patches are checked for download and installation.
  • Press the Install Updates ... button to begin downloading and installing the updates
    After successfully installing the critical updates and patches...
  • ! IMPORTANT ! reboot your computer normally (again) before proceeding.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 29 January 2012 - 07:20 AM

Agent ST,

I was about to download and install the newer versions of both Adobe Flash and Adobe Reader but, it seems that the internet connection is acting up and being finicky (I doubt that this has anything to do with the Malware since it has been dragging its feet all day) so, I will have to wait for a while (probably several hours since I think a server is down) before I can download those files and install them. Once I do so, I will do the OTL Runfix, as suggested.

In regards to the SP3, I probably will need some time to find out if I have the CD lying around or if someone else has it, if not, I have to figure out how I can purchase it. I think this will take days to sort out so, should I just do the first two steps (1. Update Adobe flash and reader 2. OTL Runfix) and reply in my next post?

Thank you,

CC Girl

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 29 January 2012 - 08:25 AM

I was about to download and install the newer versions of both Adobe Flash and Adobe Reader but, it seems that the internet connection is acting up and being finicky (I doubt that this has anything to do with the Malware since it has been dragging its feet all day) so, I will have to wait for a while (probably several hours since I think a server is down) before I can download those files and install them. Once I do so, I will do the OTL Runfix, as suggested.

Okay, no worries.


In regards to the SP3, I probably will need some time to find out if I have the CD lying around or if someone else has it, if not, I have to figure out how I can purchase it. I think this will take days to sort out so, should I just do the first two steps (1. Update Adobe flash and reader 2. OTL Runfix) and reply in my next post?

You shouldn't need the Windows XP disc to update Windows to Service Pack 3. You just need to download it from the link provided in my previous post.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 29 January 2012 - 11:11 PM

Agent ST,

1. I have updated Adobe Flash, Reader and Shockwave for good measure.

2. Pasted below is the log for the OTL Run fix:


All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
< echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c >
The Cacls command can be run only on disk drives that use the NTFS file system.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.bat deleted successfully.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.bat deleted successfully.
C:\Documents and Settings\Computer\Desktop\Removal\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Computer
->Temp folder emptied: 68814 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 652352 bytes
->Flash cache emptied: 470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1.00 mb


[EMPTYFLASH]

User: Default User

User: All Users

User: NetworkService

User: LocalService

User: Computer
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01292012_205603

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

3. I have downloaded and installed SP3 after going through your instructions again. However, the updating process was annoying (just due to the connectivity to the internet and the lack of friendliness of the Automatic Updates option) but that seems to show that it is up to date.

4. Pasted below is the OTL Quick scan log:


OTL logfile created on: 1/30/2012 9:19:56 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Computer\Desktop\Removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

247.48 Mb Total Physical Memory | 49.53 Mb Available Physical Memory | 20.01% Memory free
652.79 Mb Paging File | 274.36 Mb Available in Paging File | 42.03% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 5.86 Gb Total Space | 1.37 Gb Free Space | 23.40% Space Free | Partition Type: FAT32
Drive D: | 4.87 Gb Total Space | 2.39 Gb Free Space | 49.13% Space Free | Partition Type: FAT32
Drive E: | 8.12 Gb Total Space | 1.79 Gb Free Space | 22.02% Space Free | Partition Type: FAT32
Drive F: | 9.99 Gb Total Space | 2.29 Gb Free Space | 22.98% Space Free | Partition Type: FAT32
Drive G: | 9.28 Gb Total Space | 1.76 Gb Free Space | 18.94% Space Free | Partition Type: NTFS

Computer Name: DR-00X6GOZGYDZD | User Name: Computer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/28 08:59:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Computer\Desktop\Removal\OTL.exe
PRC - [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/06/28 18:09:58 | 000,269,480 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/27 18:04:10 | 000,136,360 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/04 17:32:26 | 000,281,768 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/06/03 05:29:46 | 000,587,568 | ---- | M] () -- G:\Sistem Tools\Avira\TB\BitTorrent.exe
PRC - [2010/01/14 22:11:02 | 000,076,968 | ---- | M] (Avira GmbH) -- G:\Sistem Tools\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/14 05:42:36 | 000,073,796 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\slserv.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/04/01 09:52:06 | 001,368,064 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/20 11:05:36 | 003,767,792 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\pdf.dll
MOD - [2012/01/20 11:05:36 | 000,411,120 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\ppgooglenaclpluginchrome.dll
MOD - [2012/01/20 11:04:12 | 000,122,880 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avutil-51.dll
MOD - [2012/01/20 11:04:10 | 000,222,208 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avformat-53.dll
MOD - [2012/01/20 11:04:08 | 001,746,432 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\avcodec-53.dll
MOD - [2012/01/20 07:44:42 | 008,593,056 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\gcswf32.dll
MOD - [2010/06/03 05:29:46 | 000,587,568 | ---- | M] () -- G:\Sistem Tools\Avira\TB\BitTorrent.exe
MOD - [2010/01/28 13:58:00 | 000,355,688 | ---- | M] () -- G:\Sistem Tools\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2009/10/05 15:08:58 | 000,089,600 | ---- | M] () -- G:\Sistem Tools\CCleaner\DFM\dfexex.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/06/28 18:09:58 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/27 18:04:10 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/04/14 05:42:36 | 000,073,796 | ---- | M] (Smart Link) [Auto | Running] -- C:\WINDOWS\System32\slserv.exe -- (SLService)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2011/06/28 18:09:58 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/06/28 18:09:58 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 12:49:20 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- G:\Sistem Tools\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:50 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/03 22:41:46 | 000,095,424 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal)
DRV - [2004/08/03 22:41:46 | 000,013,240 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup)
DRV - [2004/08/03 22:41:44 | 000,404,990 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr)
DRV - [2004/08/03 22:41:40 | 000,180,360 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax)
DRV - [2004/08/03 22:41:40 | 000,126,686 | ---- | M] (Smart Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5)
DRV - [2004/08/03 22:41:40 | 000,013,776 | ---- | M] (Smart Link) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\RecAgent.sys -- (RecAgent)
DRV - [2004/08/03 22:41:38 | 001,309,184 | ---- | M] (Smart Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/03/09 14:16:42 | 000,400,640 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/12/31 09:28:46 | 000,069,504 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnic51.sys -- (RTL8023)
DRV - [2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2002/10/15 00:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)
DRV - [2002/09/20 07:23:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://in.msn.com/?rd=1&ucc=IN&dcc=IN&opt=0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 26 ED C9 B0 88 DE CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)


[2010/06/09 06:46:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Computer\Application Data\Mozilla\Extensions
[2010/06/09 06:46:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Computer\Application Data\Mozilla\Firefox\Profiles\k0ohnfoq.default\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\16.0.912.77\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/01/29 20:56:12 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] G:\Sistem Tools\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1327853573156 (WUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A2DC3BF-A864-4636-AC61-6A3013C07BA4}: NameServer = 192.168.1.1,192.168.1.10
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Computer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/21 11:11:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/08/26 12:58:34 | 000,000,645 | ---- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [1999/01/12 16:46:16 | 000,000,406 | ---- | M] () - E:\AUTOEXEC.DOS -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012/01/30 07:21:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Computer\Recent
[2012/01/29 21:48:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2012/01/29 21:37:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/01/29 21:31:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/01/29 21:31:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/01/29 21:31:04 | 000,000,000 | ---D | C] -- C:\Program Files\msn
[2012/01/29 21:31:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2012/01/29 21:31:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2012/01/29 21:25:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2012/01/29 18:22:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012/01/29 18:22:13 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/01/29 16:05:01 | 000,000,000 | -HSD | C] -- C:\Recycled
[2012/01/29 14:26:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/29 14:11:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/01/29 13:50:40 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/01/28 20:32:54 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/28 20:32:54 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/28 20:32:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/28 20:32:54 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/28 20:32:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/28 20:32:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/28 20:30:18 | 004,393,247 | R--- | C] (Swearware) -- C:\Documents and Settings\Computer\Desktop\ComboFix.exe
[2012/01/28 14:43:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Application Data\Malwarebytes
[2012/01/28 14:43:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/28 14:43:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/01/28 14:43:26 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/01/28 14:43:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/28 14:33:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/27 09:15:32 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Computer\Start Menu\Programs\Administrative Tools
[2012/01/27 09:02:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Desktop\Removal
[2012/01/26 13:17:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\AppData
[2012/01/26 13:07:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Computer\Local Settings\Application Data\PackageAware
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/30 06:22:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/29 21:41:54 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/01/29 21:41:18 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/29 21:41:18 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/29 21:38:30 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\Computer\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/29 21:38:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/29 21:37:18 | 000,111,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/29 21:25:10 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/01/29 18:59:22 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-2111687655-839522115-1004Core1cc8d81819a2604.job
[2012/01/29 18:23:44 | 000,001,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/01/29 13:50:44 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/01/29 13:47:26 | 004,393,247 | R--- | M] (Swearware) -- C:\Documents and Settings\Computer\Desktop\ComboFix.exe
[2012/01/28 14:43:32 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/24 19:12:48 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/29 21:38:29 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\Computer\Start Menu\Programs\Windows Media Player.lnk
[2012/01/29 21:31:44 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2012/01/29 21:31:44 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2012/01/29 21:31:44 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2012/01/29 21:31:44 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2012/01/29 21:31:42 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2012/01/29 21:31:42 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2012/01/29 21:31:42 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2012/01/29 21:31:42 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2012/01/29 21:31:42 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2012/01/29 21:31:42 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2012/01/29 21:31:42 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2012/01/29 21:31:42 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2012/01/29 21:31:42 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2012/01/29 21:31:42 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2012/01/29 21:31:42 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2012/01/29 21:31:42 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2012/01/29 21:31:42 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2012/01/29 21:31:41 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2012/01/29 21:31:41 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2012/01/29 21:31:41 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2012/01/29 21:31:41 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2012/01/29 21:31:41 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2012/01/29 21:31:41 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2012/01/29 21:31:41 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2012/01/29 21:31:41 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2012/01/29 21:31:41 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2012/01/29 21:31:41 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2012/01/29 21:31:41 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2012/01/29 21:31:40 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2012/01/29 21:31:40 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2012/01/29 21:31:40 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2012/01/29 21:31:40 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2012/01/29 21:31:40 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2012/01/29 21:31:40 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2012/01/29 21:31:40 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2012/01/29 21:31:40 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2012/01/29 21:31:40 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2012/01/29 21:31:40 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2012/01/29 21:31:40 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2012/01/29 21:31:40 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2012/01/29 21:31:40 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2012/01/29 21:31:40 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2012/01/29 21:31:40 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2012/01/29 21:31:40 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2012/01/29 21:31:40 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2012/01/29 21:31:39 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2012/01/29 21:31:39 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2012/01/29 21:31:39 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2012/01/29 21:31:39 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2012/01/29 21:31:39 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2012/01/29 21:31:39 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2012/01/29 21:31:39 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2012/01/29 21:31:39 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2012/01/29 21:31:39 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2012/01/29 21:31:39 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2012/01/29 21:31:39 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2012/01/29 21:31:39 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2012/01/29 21:31:39 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2012/01/29 21:31:39 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2012/01/29 21:31:39 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2012/01/29 21:31:39 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2012/01/29 21:31:39 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2012/01/29 21:31:39 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2012/01/29 21:31:39 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2012/01/29 21:31:38 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2012/01/29 21:31:38 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2012/01/29 21:31:38 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2012/01/29 21:31:37 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2012/01/29 21:31:37 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2012/01/29 21:31:37 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2012/01/29 21:31:37 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2012/01/29 21:31:37 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2012/01/29 21:31:37 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2012/01/29 21:31:37 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2012/01/29 21:31:37 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2012/01/29 21:31:37 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2012/01/29 21:31:37 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2012/01/29 21:31:37 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2012/01/29 21:31:37 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2012/01/29 21:31:36 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2012/01/29 21:27:12 | 000,498,742 | ---- | C] () -- C:\WINDOWS\System32\dllcache\dxmasf.dll
[2012/01/29 21:27:10 | 000,844,314 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdxm.ocx
[2012/01/29 21:27:10 | 000,004,126 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdxmlc.dll
[2012/01/29 18:23:42 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/29 18:23:42 | 000,001,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/01/29 13:50:42 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/01/29 13:50:41 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/28 20:32:54 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/28 20:32:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/28 20:32:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/28 20:32:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/28 20:32:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/28 14:43:31 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/03/26 10:39:02 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2010/06/09 06:46:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/22 13:21:49 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\Computer\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/21 15:32:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/04/21 12:18:19 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\igfxzoom.exe
[2010/04/21 11:14:02 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/04/21 11:08:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/04/21 10:57:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/04/21 10:56:50 | 000,111,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/08/29 03:57:58 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2001/08/23 12:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:30:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:30:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 11:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:30:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 11:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 11:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/06/03 05:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Computer\Application Data\BitTorrent
[2010/09/16 15:35:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Computer\Application Data\Megaupload

========== Purity Check ==========



========== Custom Scans ==========


< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Computer\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012/01/20 11:05:38 | 001,047,024 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

The computer seems to be working accurately however, I will have to do some cleaning up in the C Drive and making other changes and updates after we rid the computer of Malware.

Thank you for the assistance,

CC Girl

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:01:33 AM

Posted 30 January 2012 - 05:12 AM

Hi CC Girl!

Your logs are looking clean. Are you experiencing any outstanding issues with your computer, or do you feel you're ready to proceed with the clean-up procedure?

Let me know.

Kindest Regards,
Agent ST.

Edited by SweetTech, 30 January 2012 - 05:13 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 CC Girl

CC Girl
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 30 January 2012 - 06:54 AM

Agent ST,

I think I will start to clean up the computer because I've hardly had any 'feeling' of infection for a while.

1. Would it be okay if I started uninstalling all those tools we downloaded to do tests and scans from my computer because I would like to slim down the programme list on the computer and do some rooting around to see if there are old files or programmes that I could do with out?

2. Could I also start to download Firefox and get rid of Internet explorer now?

3. Once I do so, I will just use and monitor my computer as normal and see how the system behaves for a day or two. After that, could I come back and post an update so I should be able to give you a big thumbs up on helping me get rid of any sign of infection on my computer?

Thankfully,

CC Girl




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users