Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan:Win32/Sirefef.AH


  • This topic is locked This topic is locked
22 replies to this topic

#1 techmini

techmini

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 06 June 2012 - 12:00 PM

Several months back my mother's netbook was infected with ZeroAccess. I was able to clean that off and it ran fine for awhile. Then all the icons on the desktop disappeared again, there is no network (wired or wireless) and after every reboot Microsoft Security Essentials detects and quarantines an instance of Trojan:Win32/Sirefef.AH. Nothing else has been detected in the past month.

I followed the prep guide but DDS would freeze the whole computer after display 50 #'s. So, sorry no DDS.txt or Attach.txt.

GMER finished and the ark.txt file is attached. However, there was a problem running GMER. I got the following error:

LoadDriver ( "C:\DOCUME~1\Lou\LOCALS~1\Temp\uxloakow.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.


Also, when the GMER window opened, only Services, Registry, Files and ADS could be selected.

Attached Files

  • Attached File  ark.txt   829bytes   2 downloads

Edited by techmini, 06 June 2012 - 01:45 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 08 June 2012 - 08:29 PM

Hi,

Please run the following:

Please download Unhide.exe to your desktop:
  • Double-click on the Unhide.exe icon on your desktop and allow the program to run.
  • This program will remove the hidden attributes from all the files on your system.
  • Note: If you had purposely hidden any files, then you will need to hide them again after this tool has run.


NEXT


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 09 June 2012 - 08:38 PM

CatByte,

Thank you for the reply.

Just to let you know I have done a lot of malware cleanup on my on. But this one has been the more stubborn than most. Hoping you can help.

While I was waiting for your reply I built a Windows Defender Offline boot USB and scanned the netbook. Windows Defender Offline detected Trojan:Win32/Tracur.AK, Trojan:Win32/Tracur.AN, Trojan:DOS/Alureon.E & Trojan:Win32/Sirefef.AH. It was able to remove everything but Alureon. When it tried to delete Alureon it gave the error: "Security Essentials encountered the following error: Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." Even after multiple reboots and repeat scans, same error.


Following your directions unhide once again was able to restore the hidden desktop files.


Below are the results from both logs.


Thanks again, in advance, for your assistance.


OTL.Txt
========

OTL logfile created on: 6/9/2012 8:33:24 PM - Run 1
OTL by OldTimer - Version 3.2.48.0 Folder = C:\Documents and Settings\Lou\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.18 Mb Total Physical Memory | 417.80 Mb Available Physical Memory | 41.20% Memory free
2.38 Gb Paging File | 1.90 Gb Available in Paging File | 79.58% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 141.05 Gb Total Space | 117.08 Gb Free Space | 83.01% Space Free | Partition Type: NTFS

Computer Name: LOU-LAPTOP | User Name: Lou | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/09 16:35:14 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lou\Desktop\OTL.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/02/06 16:29:58 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/02/06 16:29:02 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2011/12/14 07:59:20 | 002,984,832 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2011/12/14 07:59:19 | 010,981,248 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer.exe
PRC - [2011/12/14 07:41:55 | 000,116,608 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\tv_w32.exe
PRC - [2011/09/16 15:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 15:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2009/04/30 23:13:34 | 000,092,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\PersistenceThread.exe
PRC - [2009/02/19 21:52:20 | 000,817,672 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2009/02/11 18:46:28 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/05 11:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2008/10/17 13:44:58 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/25 10:34:58 | 000,082,608 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 3400 Series\ezprint.exe
PRC - [2007/06/25 10:34:56 | 000,291,504 | ---- | M] () -- C:\Program Files\Lexmark 3400 Series\lxcymon.exe
PRC - [2007/06/20 06:28:56 | 000,537,264 | ---- | M] ( ) -- C:\WINDOWS\system32\lxcycoms.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/03 11:28:36 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/14 08:00:00 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/04/14 08:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2007/06/25 10:34:56 | 000,291,504 | ---- | M] () -- C:\Program Files\Lexmark 3400 Series\lxcymon.exe
MOD - [2007/03/16 06:38:26 | 000,117,760 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxcypp5c.dll
MOD - [2006/08/08 15:54:18 | 000,278,528 | ---- | M] () -- C:\Program Files\Lexmark 3400 Series\lxcyscw.dll
MOD - [2006/05/25 16:20:44 | 000,241,664 | ---- | M] () -- C:\Program Files\Lexmark 3400 Series\iptk.dll
MOD - [2006/02/13 09:04:20 | 000,143,360 | ---- | M] () -- C:\Program Files\Lexmark 3400 Series\lxcydrec.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\atinrvxx.dll -- (xfactorae1)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\arkbcfltr.dll -- (vsserv)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdlnslea.dll -- (se58unic)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SE2Bmdfl.dll -- (mcredirector)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\mountmgr.dll -- (DevUpper)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/04/13 20:11:03 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/02/06 16:29:58 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/02/06 16:29:02 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/12/14 07:59:20 | 002,984,832 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2011/09/16 15:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/07/02 10:50:42 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/28 17:57:33 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/02/05 11:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2007/06/20 06:28:56 | 000,537,264 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\system32\lxcycoms.exe -- (lxcy_device)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\RtsUCcid.sys -- (USBCCID)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Rts516xIR.sys -- (RtsUIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Lou\LOCALS~1\Temp\mfe_rr.sys -- (RADAR)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\JiangMin\Antivirus\KSysMon.sys -- (KSysMon)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Lou\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/02/06 16:29:14 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2011/09/16 15:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 15:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2011/07/02 10:50:44 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/02 10:50:44 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 16:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/07/28 08:55:00 | 000,143,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/24 07:35:00 | 005,056,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/03/12 03:55:32 | 000,164,864 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2008/12/30 07:02:32 | 001,346,464 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/08/05 08:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006/01/04 03:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=Z127&ocid=zdhp&install_date=20111225
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\..\SearchScopes,DefaultScope = {0E1134BC-EB3C-42A2-AC57-5CD3CB79E6E0}
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\..\SearchScopes\{0E1134BC-EB3C-42A2-AC57-5CD3CB79E6E0}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms}
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\..\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACAW_enUS344
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\..\SearchScopes\{6C59297E-BFFE-4E6A-0BF5-4187155432D8}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z127&form=ZGAIDF&install_date=20111225&iesrc={referrer:source}
IE - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)


[2011/12/25 17:07:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lou\Application Data\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.300.12 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U30 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Lou\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

Hosts file not found
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [CCEnhancer] C:\Program Files\CCleaner\CCEnhancer.exe ()
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 3400 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [LXCYCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.DLL (Lexmark International Inc.)
O4 - HKLM..\Run: [lxcymon.exe] C:\Program Files\Lexmark 3400 Series\lxcymon.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe ()
O4 - HKLM..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe (Intel Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKU\.DEFAULT..\Run: [PC Health Status] C:\Documents and Settings\NetworkService\Application Data\kplmqdoi.exe File not found
O4 - HKU\S-1-5-18..\Run: [PC Health Status] C:\Documents and Settings\NetworkService\Application Data\kplmqdoi.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk = C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/betapit/PCPitStop.CAB (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252806969125 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Lou\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lou\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/15 08:46:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: xfactorae1 - %systemroot%\system32\atinrvxx.dll File not found
NetSvcs: mcredirector - %systemroot%\system32\SE2Bmdfl.dll File not found
NetSvcs: vsserv - %systemroot%\system32\arkbcfltr.dll File not found
NetSvcs: DevUpper - %systemroot%\system32\mountmgr.dll File not found
NetSvcs: se58unic - %systemroot%\system32\pdlnslea.dll File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/09 20:29:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lou\Start Menu\Programs\CyberLink PowerDVD 8
[2012/06/09 20:13:52 | 000,000,000 | ---D | C] -- C:\20120607 -- Lou Hunt Aspire One (92508520325)
[2012/06/09 16:35:14 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lou\Desktop\OTL.exe
[2012/06/08 13:28:05 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/06/08 12:27:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft Antimalware
[2012/06/07 10:09:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temporary Internet Files
[2012/06/07 10:09:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temp
[2012/06/05 13:32:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lou\Desktop\gmer
[2012/06/05 12:21:02 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Lou\Desktop\dds.scr
[2012/06/04 06:25:37 | 000,000,000 | ---D | C] -- C:\TM_Files
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/09 20:28:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/09 20:28:50 | 1063,518,208 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/09 20:12:52 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/06/09 20:12:48 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1203367206-2969962186-2867804681-1005UA.job
[2012/06/09 20:06:25 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BC6921E7-7209-4545-8724-A540E8DAF4FC}.job
[2012/06/09 20:04:09 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/09 17:02:50 | 000,756,597 | ---- | M] () -- C:\20120607 -- Lou Hunt Aspire One (92508520325).zip
[2012/06/09 16:35:14 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lou\Desktop\OTL.exe
[2012/06/08 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2012/06/07 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2012/06/07 10:17:16 | 000,000,360 | RHS- | M] () -- C:\boot.ini
[2012/06/06 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2012/06/05 13:36:25 | 004,723,796 | ---- | M] () -- C:\Documents and Settings\Lou\Desktop\GMER_Err.rtf
[2012/06/05 13:05:56 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Lou\defogger_reenable
[2012/06/04 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2012/06/04 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2012/06/04 06:32:46 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2012/06/04 05:04:34 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Lou\Desktop\gmer.zip
[2012/06/04 04:52:14 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Lou\Desktop\dds.scr
[2012/06/04 04:36:22 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Lou\Desktop\Defogger.exe
[2012/05/15 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2012/05/15 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2012/05/15 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2012/05/15 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2012/05/15 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2012/05/15 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2012/05/15 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2012/05/15 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2012/05/15 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2012/05/15 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2012/05/15 05:10:02 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1203367206-2969962186-2867804681-1005Core.job
[2012/05/15 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2012/05/15 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2012/05/15 03:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/05/15 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/05/15 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/05/15 00:27:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/05/14 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2012/05/14 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/09 20:13:31 | 000,756,597 | ---- | C] () -- C:\20120607 -- Lou Hunt Aspire One (92508520325).zip
[2012/06/05 13:35:30 | 004,723,796 | ---- | C] () -- C:\Documents and Settings\Lou\Desktop\GMER_Err.rtf
[2012/06/05 13:05:56 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Lou\defogger_reenable
[2012/06/05 12:21:02 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Lou\Desktop\gmer.zip
[2012/06/05 12:21:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Lou\Desktop\Defogger.exe
[2012/03/21 18:29:45 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/21 17:57:11 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~7s9jy7g10ULr7Mr
[2012/03/21 17:57:10 | 000,000,264 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~7s9jy7g10ULr7M
[2012/03/21 17:57:05 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\7s9jy7g10ULr7M
[2011/12/31 21:29:34 | 000,000,042 | ---- | C] () -- C:\WINDOWS\InstRun.ini
[2011/12/21 21:59:15 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/11/30 16:45:20 | 000,000,196 | ---- | C] () -- C:\WINDOWS\System32\itlsvc.dat
[2011/11/30 14:48:46 | 000,100,926 | ---- | C] () -- C:\WINDOWS\System32\itusbcore.dat
[2011/11/27 18:26:48 | 000,012,506 | -HS- | C] () -- C:\Documents and Settings\Lou\Local Settings\Application Data\041730n6j756f472t653x1hmb4g0
[2011/11/27 18:26:48 | 000,012,506 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\041730n6j756f472t653x1hmb4g0
[2011/11/26 11:08:02 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ZaJVo0AzzzPfZI
[2011/10/20 18:10:13 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

========== LOP Check ==========

[2009/04/15 10:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Acer
[2009/04/15 10:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Acer GameZone Console
[2009/04/15 10:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2012/01/01 05:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jiangmin
[2009/09/21 18:35:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2012/06/09 20:04:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2011/12/26 19:59:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2009/11/26 11:00:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2011/12/31 14:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vba32
[2009/04/15 10:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Acer
[2009/04/15 10:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Acer GameZone Console
[2012/01/01 00:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Jiangmin
[2009/09/11 18:29:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/04/15 10:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Acer
[2009/04/15 10:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LogMeInRemoteUser\Application Data\Acer GameZone Console
[2009/04/15 10:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Acer
[2012/04/01 10:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Acer GameZone Console
[2011/12/24 08:27:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Auslogics
[2009/09/11 22:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\eSobi
[2011/12/25 17:09:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\FCTB000060231
[2012/01/01 05:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Jiangmin
[2009/09/12 21:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\OpenOffice.org
[2011/12/26 20:01:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Panda Security
[2011/12/23 18:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\TeamViewer
[2011/12/15 19:01:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lou\Application Data\Windows Live Writer
[2009/04/15 10:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Acer
[2009/04/15 10:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\Acer GameZone Console
[2012/05/15 00:27:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2012/05/15 01:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At26.job
[2012/05/15 02:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At27.job
[2012/05/15 03:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At28.job
[2012/05/15 04:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At29.job
[2012/05/15 05:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At30.job
[2012/05/15 06:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At31.job
[2012/05/15 07:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At32.job
[2012/06/04 08:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At33.job
[2012/06/04 09:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At34.job
[2012/05/15 10:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At35.job
[2012/05/15 11:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At36.job
[2012/05/15 12:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At37.job
[2012/06/06 13:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At38.job
[2012/06/08 14:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At39.job
[2012/05/15 15:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At40.job
[2012/05/15 16:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At41.job
[2012/05/15 17:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At42.job
[2012/05/15 18:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At43.job
[2012/05/15 19:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At44.job
[2012/05/14 20:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At45.job
[2012/05/14 21:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At46.job
[2012/06/07 22:00:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At47.job
[2012/06/04 06:32:46 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\At48.job
[2012/06/09 20:06:25 | 000,000,418 | ---- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{BC6921E7-7209-4545-8724-A540E8DAF4FC}.job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /rp /s >

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: TOSHIBA MK1655GSX
Partitions: 3
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 8.00GB
Starting Offset: 1048576
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 141.00GB
Starting Offset: 8590983168
Hidden sectors: 0
[color="#1c2837"] [/color]
[color="#1c2837"] [/color]
[color="#1c2837"]DeviceID: Disk #0, Partition #2[/color]
[color="#1c2837"]PartitionType: Unknown[/color]
[color="#1c2837"]Bootable: True[/color]
[color="#1c2837"]BootPartition: True[/color]
[color="#1c2837"]PrimaryPartition: True[/color]
[color="#1c2837"]Size: 0.00GB[/color]
[color="#1c2837"]Starting Offset: 160039960576[/color]
[color="#1c2837"]Hidden sectors: 0[/color]
[color="#1c2837"] [/color]
[color="#1c2837"] [/color]
[color="#1c2837"][color=#E56717]========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========[/color][/color]
[color="#1c2837"][C:\WINDOWS\$NtUninstallKB59530$] -> Error: Cannot create file handle -> Unknown point type[/color]
[color="#1c2837"][C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction[/color]
[color="#1c2837"][C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction[/color]
[color="#1c2837"]
[/color]

[color="#1c2837"]< End of report >[/color][color=#1C2837]
[/color][color=#1C2837]
[/color][color=#1C2837][size=2]
[/size][/color]
[size="2"][color="#1c2837"]Extras.Txt[/color][/size]
[size="2"][color="#1c2837"]========[/color][/size]
[color="#1c2837"]
[size="2"]OTL Extras logfile created on: 6/9/2012 8:33:24 PM - Run 1[/size]
[size="2"]OTL by OldTimer - Version 3.2.48.0 Folder = C:\Documents and Settings\Lou\Desktop[/size]
[size="2"]Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation[/size]
[size="2"]Internet Explorer (Version = 8.0.6001.18702)[/size]
[size="2"]Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy[/size]
[size="2"] [/size]
[size="2"]1014.18 Mb Total Physical Memory | 417.80 Mb Available Physical Memory | 41.20% Memory free[/size]
[size="2"]2.38 Gb Paging File | 1.90 Gb Available in Paging File | 79.58% Paging File free[/size]
[size="2"]Paging file location(s): C:\pagefile.sys 0 0 [binary data][/size]
[size="2"] [/size]
[size="2"]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files[/size]
[size="2"]Drive C: | 141.05 Gb Total Space | 117.08 Gb Free Space | 83.01% Space Free | Partition Type: NTFS[/size]
[size="2"] [/size]
[size="2"]Computer Name: LOU-LAPTOP | User Name: Lou | Logged in as Administrator.[/size]
[size="2"]Boot Mode: Normal | Scan Mode: All users | Quick Scan[/size]
[size="2"]Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Extra Registry (SafeList) ==========[/color][/size]
[size="2"] [/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== File Associations ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>][/size]
[size="2"].cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/size]
[size="2"].url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l[/size]
[size="2"] [/size]
[size="2"][HKEY_USERS\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Classes\<extension>][/size]
[size="2"].html [@ = htmlfile] -- Reg Error: Key error. File not found[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Shell Spawning ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command][/size]
[size="2"]batfile [open] -- "%1" %*[/size]
[size="2"]cmdfile [open] -- "%1" %*[/size]
[size="2"]comfile [open] -- "%1" %*[/size]
[size="2"]cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/size]
[size="2"]exefile [open] -- "%1" %*[/size]
[size="2"]htmlfile [edit] -- Reg Error: Key error.[/size]
[size="2"]InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l[/size]
[size="2"]piffile [open] -- "%1" %*[/size]
[size="2"]regfile [merge] -- Reg Error: Key error.[/size]
[size="2"]scrfile [config] -- "%1"[/size]
[size="2"]scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l[/size]
[size="2"]scrfile [open] -- "%1" /S[/size]
[size="2"]txtfile [edit] -- Reg Error: Key error.[/size]
[size="2"]Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1[/size]
[size="2"]Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)[/size]
[size="2"]Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)[/size]
[size="2"]Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)[/size]
[size="2"]Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Security Center Settings ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center][/size]
[size="2"]"FirstRunDisabled" = 1[/size]
[size="2"]"AntiVirusDisableNotify" = 0[/size]
[size="2"]"FirewallDisableNotify" = 0[/size]
[size="2"]"UpdatesDisableNotify" = 0[/size]
[size="2"]"AntiVirusOverride" = 0[/size]
[size="2"]"FirewallOverride" = 0[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall][/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== System Restore Settings ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore][/size]
[size="2"]"DisableSR" = 0[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr][/size]
[size="2"]"Start" = 0[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService][/size]
[size="2"]"Start" = 2[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Firewall Settings ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile][/size]
[size="2"]"DisableNotifications" = 0[/size]
[size="2"]"DoNotAllowExceptions" = 0[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List][/size]
[size="2"]"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004[/size]
[size="2"]"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005[/size]
[size="2"]"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001[/size]
[size="2"]"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile][/size]
[size="2"]"EnableFirewall" = 1[/size]
[size="2"]"DisableNotifications" = 0[/size]
[size="2"]"DoNotAllowExceptions" = 1[/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List][/size]
[size="2"]"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004[/size]
[size="2"]"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005[/size]
[size="2"]"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001[/size]
[size="2"]"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002[/size]
[size="2"]"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007[/size]
[size="2"]"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Authorized Applications List ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List][/size]
[size="2"]"C:\WINDOWS\system32\lxcycoms.exe" = C:\WINDOWS\system32\lxcycoms.exe:*:Enabled:Lexmark Communications System -- ( )[/size]
[size="2"]"C:\Program Files\Acer\Acer VCM\VC.exe" = C:\Program Files\Acer\Acer VCM\VC.exe:*:Disabled:Acer Video Quality Enhancement -- (Acer Incoporated)[/size]
[size="2"]"C:\Program Files\TeamViewer\Version7\TeamViewer.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)[/size]
[size="2"]"C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)[/size]
[size="2"]"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)[/size]
[size="2"] [/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall][/size]
[size="2"]"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR[/size]
[size="2"]"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148[/size]
[size="2"]"{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM[/size]
[size="2"]"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client[/size]
[size="2"]"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar[/size]
[size="2"]"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up[/size]
[size="2"]"{13CD417D-F1F1-4AC4-945D-FDDEB884756F}" = Microsoft Baseline Security Analyzer 2.2[/size]
[size="2"]"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2[/size]
[size="2"]"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer[/size]
[size="2"]"{183261F8-780B-4506-BE91-434C01DD010A}" = LogMeIn Rescue AVI Codec[/size]
[size="2"]"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148[/size]
[size="2"]"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool[/size]
[size="2"]"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT[/size]
[size="2"]"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 30[/size]
[size="2"]"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program[/size]
[size="2"]"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8[/size]
[size="2"]"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP[/size]
[size="2"]"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform[/size]
[size="2"]"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater[/size]
[size="2"]"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail[/size]
[size="2"]"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable[/size]
[size="2"]"{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed[/size]
[size="2"]"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053[/size]
[size="2"]"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com[/size]
[size="2"]"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management[/size]
[size="2"]"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials[/size]
[size="2"]"{84713778-D9A9-4130-A811-DF3187827B05}" = LogMeIn[/size]
[size="2"]"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync[/size]
[size="2"]"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight[/size]
[size="2"]"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system[/size]
[size="2"]"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant[/size]
[size="2"]"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting[/size]
[size="2"]"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software[/size]
[size="2"]"{976475B8-63E9-4559-BE2C-D26086BE4C40}" = LogMeIn[/size]
[size="2"]"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17[/size]
[size="2"]"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161[/size]
[size="2"]"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender[/size]
[size="2"]"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI[/size]
[size="2"]"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2[/size]
[size="2"]"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye webcam 2.2.0.2[/size]
[size="2"]"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger[/size]
[size="2"]"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1[/size]
[size="2"]"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy[/size]
[size="2"]"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2[/size]
[size="2"]"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver[/size]
[size="2"]"{C9EAEE6B-741F-421D-B9CE-9FA300DA92AD}_is1" = Super Mario Bros. X version 1.3[/size]
[size="2"]"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1[/size]
[size="2"]"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery[/size]
[size="2"]"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update[/size]
[size="2"]"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1[/size]
[size="2"]"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU][/size]
[size="2"]"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219[/size]
[size="2"]"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard[/size]
[size="2"]"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver[/size]
[size="2"]"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call[/size]
[size="2"]"Acer Screensaver" = Acer ScreenSaver[/size]
[size="2"]"Adobe AIR" = Adobe AIR[/size]
[size="2"]"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX[/size]
[size="2"]"Belarc Advisor" = Belarc Advisor 8.2[/size]
[size="2"]"Carbonite Setup Lite" = Carbonite Online Backup Setup[/size]
[size="2"]"CCleaner" = CCleaner[/size]
[size="2"]"CleanUp!" = CleanUp![/size]
[size="2"]"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com[/size]
[size="2"]"Cook'n Collection" = Cook'n Collection[/size]
[size="2"]"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows[/size]
[size="2"]"HD Tune_is1" = HD Tune 2.55[/size]
[size="2"]"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs[/size]
[size="2"]"ie8" = Windows Internet Explorer 8[/size]
[size="2"]"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2[/size]
[size="2"]"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8[/size]
[size="2"]"Lexmark 3400 Series" = Lexmark 3400 Series[/size]
[size="2"]"LManager" = Launch Manager[/size]
[size="2"]"LPCO" = Intel® Graphics Media Accelerator 500[/size]
[size="2"]"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300[/size]
[size="2"]"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1[/size]
[size="2"]"Microsoft Security Client" = Microsoft Security Essentials[/size]
[size="2"]"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP[/size]
[size="2"]"MSNINST" = MSN[/size]
[size="2"]"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs[/size]
[size="2"]"SynTPDeinstKey" = Synaptics Pointing Device Driver[/size]
[size="2"]"TeamViewer 7" = TeamViewer 7[/size]
[size="2"]"VirusTotalUploader2.0" = VirusTotal Uploader 2.0[/size]
[size="2"]"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7[/size]
[size="2"]"Windows Media Format Runtime" = Windows Media Format 11 runtime[/size]
[size="2"]"Windows Media Player" = Windows Media Player 11[/size]
[size="2"]"WinLiveSuite_Wave3" = Windows Live Essentials[/size]
[size="2"]"WMFDist11" = Windows Media Format 11 runtime[/size]
[size="2"]"wmp11" = Windows Media Player 11[/size]
[size="2"]"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0[/size]
[size="2"]"Zuma Deluxe" = Zuma Deluxe[/size]
[size="2"]"Zuma's Revenge!" = Zuma's Revenge![/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== HKEY_USERS Uninstall List ==========[/color][/size]
[size="2"] [/size]
[size="2"][HKEY_USERS\S-1-5-21-1203367206-2969962186-2867804681-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall][/size]
[size="2"]"Google Chrome" = Google Chrome[/size]
[size="2"] [/size]
[size="2"][color=#E56717]========== Last 20 Event Log Errors ==========[/color][/size]
[size="2"] [/size]
[size="2"][ Application Events ][/size]
[size="2"]Error - 4/14/2012 6:09:33 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:33 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:34 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:34 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:36 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:37 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:37 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:38 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/14/2012 6:09:38 PM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This network connection does not exist. [/size]
[size="2"] [/size]
[size="2"]Error - 4/22/2012 8:16:13 AM | Computer Name = LOU-LAPTOP | Source = crypt32 | ID = 131080[/size]
[size="2"]Description = Failed auto update retrieval of third-party root list sequence number[/size]
[size="2"] from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>[/size]
[size="2"] with error: This operation returned because the timeout period expired. [/size]
[size="2"] [/size]
[size="2"]Error - 4/27/2012 3:02:01 AM | Computer Name = LOU-LAPTOP | Source = MPSampleSubmission | ID = 5000[/size]
[size="2"]Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.0.1526.0,[/size]
[size="2"] P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.[/size]
[size="2"] [/size]
[size="2"]Error - 4/27/2012 3:02:25 AM | Computer Name = LOU-LAPTOP | Source = Microsoft Security Client | ID = 5000[/size]
[size="2"]Description = [/size]
[size="2"] [/size]
[size="2"][ System Events ][/size]
[size="2"]Error - 6/9/2012 8:30:22 PM | Computer Name = LOU-LAPTOP | Source = Service Control Manager | ID = 7023[/size]
[size="2"]Description = The Uagp35 service terminated with the following error: %%126[/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:30:22 PM | Computer Name = LOU-LAPTOP | Source = Service Control Manager | ID = 7023[/size]
[size="2"]Description = The Nsm1mdfl service terminated with the following error: %%126[/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:30:23 PM | Computer Name = LOU-LAPTOP | Source = Service Control Manager | ID = 7023[/size]
[size="2"]Description = The Ssfs0509 service terminated with the following error: %%126[/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:30:23 PM | Computer Name = LOU-LAPTOP | Source = Service Control Manager | ID = 7023[/size]
[size="2"]Description = The Sqlserveragent service terminated with the following error: %%126[/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:30:23 PM | Computer Name = LOU-LAPTOP | Source = Service Control Manager | ID = 7026[/size]
[size="2"]Description = The following boot-start or system-start driver(s) failed to load:[/size]
[size="2"] SBRE[/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:39:09 PM | Computer Name = LOU-LAPTOP | Source = Microsoft Antimalware | ID = 2001[/size]
[size="2"]Description = %%860 has encountered an error trying to update signatures. New Signature[/size]
[size="2"] Version: Previous Signature Version: 1.125.655.0 Update Source: %%859 Update Stage:[/size]
[size="2"] %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803[/size]
[size="2"]
[/size]
[size="2"] User:[/size]
[size="2"] NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8304.0 Error[/size]
[size="2"] code: 0x8024402c Error description: An unexpected problem occurred while checking[/size]
[size="2"] for updates. For information on installing or troubleshooting updates, see Help[/size]
[size="2"] and Support. [/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:39:09 PM | Computer Name = LOU-LAPTOP | Source = Microsoft Antimalware | ID = 2001[/size]
[size="2"]Description = %%860 has encountered an error trying to update signatures. New Signature[/size]
[size="2"] Version: Previous Signature Version: 1.125.655.0 Update Source: %%851 Update Stage:[/size]
[size="2"] %%852 Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8304.0&avdelta=1.125.655.0&asdelta=1.125.655.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094[/size]
[size="2"]
[/size]
[size="2"] Signature[/size]
[size="2"] Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:[/size]
[size="2"] Previous Engine Version: 1.1.8304.0 Error code: 0x80072ee7 Error description: The[/size]
[size="2"] server name or address could not be resolved [/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:39:09 PM | Computer Name = LOU-LAPTOP | Source = Microsoft Antimalware | ID = 2001[/size]
[size="2"]Description = %%860 has encountered an error trying to update signatures. New Signature[/size]
[size="2"] Version: Previous Signature Version: 1.125.655.0 Update Source: %%851 Update Stage:[/size]
[size="2"] %%852 Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8304.0&avdelta=1.125.655.0&asdelta=1.125.655.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094[/size]
[size="2"]
[/size]
[size="2"] Signature[/size]
[size="2"] Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:[/size]
[size="2"] Previous Engine Version: 1.1.8304.0 Error code: 0x80072ee7 Error description: The[/size]
[size="2"] server name or address could not be resolved [/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:39:09 PM | Computer Name = LOU-LAPTOP | Source = Microsoft Antimalware | ID = 2001[/size]
[size="2"]Description = %%860 has encountered an error trying to update signatures. New Signature[/size]
[size="2"] Version: Previous Signature Version: 1.125.655.0 Update Source: %%851 Update Stage:[/size]
[size="2"] %%852 Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8304.0&avdelta=1.125.655.0&asdelta=1.125.655.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094[/size]
[size="2"]
[/size]
[size="2"] Signature[/size]
[size="2"] Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:[/size]
[size="2"] Previous Engine Version: 1.1.8304.0 Error code: 0x80072ee7 Error description: The[/size]
[size="2"] server name or address could not be resolved [/size]
[size="2"] [/size]
[size="2"]Error - 6/9/2012 8:39:09 PM | Computer Name = LOU-LAPTOP | Source = Microsoft Antimalware | ID = 2001[/size]
[size="2"]Description = %%860 has encountered an error trying to update signatures. New Signature[/size]
[size="2"] Version: Previous Signature Version: 1.125.655.0 Update Source: %%851 Update Stage:[/size]
[size="2"] %%852 Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.8304.0&avdelta=1.125.655.0&asdelta=1.125.655.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094[/size]
[size="2"]
[/size]
[size="2"] Signature[/size]
[size="2"] Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:[/size]
[size="2"] Previous Engine Version: 1.1.8304.0 Error code: 0x80072ee7 Error description: The[/size]
[size="2"] server name or address could not be resolved [/size]
[size="2"] [/size]
[size="2"] [/size]
[size="2"]< End of report >[/size][size=2]
[/size][/color]

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 09 June 2012 - 09:08 PM

Hi,

while were working together, please don't fix anything more on your own or it could cause some issues with what I'm asking you to do as well (I have a particular method of malware removal that I use, relying on what I see in the logs, so if that is changed, then it could alter what needs fixing)

thanks

please run the following

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
    O4 - HKU\.DEFAULT..\Run: [PC Health Status] C:\Documents and Settings\NetworkService\Application Data\kplmqdoi.exe File not found
    O4 - HKU\S-1-5-18..\Run: [PC Health Status] C:\Documents and Settings\NetworkService\Application Data\kplmqdoi.exe File not found
    [2012/06/09 20:13:52 | 000,000,000 | ---D | C] -- C:\20120607 -- Lou Hunt Aspire One (92508520325)
    [2012/06/09 17:02:50 | 000,756,597 | ---- | M] () -- C:\20120607 -- Lou Hunt Aspire One (92508520325).zip
    [2012/03/21 17:57:11 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~7s9jy7g10ULr7Mr
    [2012/03/21 17:57:10 | 000,000,264 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~7s9jy7g10ULr7M
    [2012/03/21 17:57:05 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\7s9jy7g10ULr7M
    [2011/11/27 18:26:48 | 000,012,506 | -HS- | C] () -- C:\Documents and Settings\Lou\Local Settings\Application Data\041730n6j756f472t653x1hmb4g0
    [2011/11/27 18:26:48 | 000,012,506 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\041730n6j756f472t653x1hmb4g0
    [2011/11/26 11:08:02 | 000,000,456 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ZaJVo0AzzzPfZI
    
    
    :files
    C:\WINDOWS\tasks\At*.job
    rmdir C:\WINDOWS\$NtUninstallKB59530$ /c
    ipconfig /flushdns /c
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log


NEXT


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 10 June 2012 - 02:18 PM

CatByte,

Thanks for working with me. I completely understand about not doing anything outside of your instructions. I will be patient and work strictly by your direction. I was just letting you know what I had already done prior to us starting. Hopefully one day I will be a Malware Response Team member like yourself. I have a passion to fight malware as well.

Completed your instructions with some issues.

  • When I ran OTL, MSE had a brief popup about a detection that I couldn't read in time before it went away.
    • MSE real-time protection was already disabled but this pop up lead me to believe it was active so I went in to MSE and clicked the check box on by mistake.
    • OTL did not produce a log file.
  • ComboFix locked up the computer.
    • When ComboFix started MSE real-time was active but it gave me a warning before it continued so I disabled it then continued.
    • It never went past line Howerver, .... in console.
    • It displayed a dialog window that "Rootkit is detected. Be patient as this may take some moments."
    • When I clicked OK it locked up the computer.
    • After reboot I checked and no C:\ComboFix.txt was created

BTW, if we could focus on why the network is not working, this would go a a lot faster. I'm have to transfer files from my laptop to a USB drive to the netbook. Then after results are done I copy back to USB but don't directly put in my laptop, just in case malware infects USB drive. So I put in a 3rd PC booted with UBCD4WIN where I copy text files to local hard drive, reformat USB drive then copy files back. Finally putting them back on my laptop so I can post to this forum. This of course is a lot more work than if I could just post directly to forum.

Thanks again for all your help.

Edited by techmini, 10 June 2012 - 02:25 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 10 June 2012 - 02:22 PM

OK,

Please delete the copy of combofix that you have on your desktop and download a fresh copy, but rename it to svchost.exe before saving it, now boot into safe mode and run it from safe mode

ComboFix


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 10 June 2012 - 02:29 PM

Boy you are quick. In the time it took to update my last post with some additional info you had already replied. THANKS!

This is what I added:

BTW, if we could focus on why the network is not working, this would go a a lot faster. I'm have to transfer files from my laptop to a USB drive to the netbook. Then after results are done I copy back to USB but don't directly put in my laptop, just in case malware infects USB drive. So I put in a 3rd PC booted with UBCD4WIN where I copy text files to local hard drive, reformat USB drive then copy files back. Finally putting them back on my laptop so I can post to this forum. This of course is a lot more work than if I could just post directly to forum.<br style="color: rgb(28, 40, 55); font-size: 13px; line-height: 19px; background-color: rgb(250, 251, 252); ">
Thanks again for all your help.



I will be away for a few hours and will perform your last instructions when I get back.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 10 June 2012 - 02:32 PM

OK

let's see if we can find why there is no connection:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 10 June 2012 - 08:24 PM

CatByte,


Thanks for looking into the network issue first. Looks like NetBIOS (NetBT.sys) was infected by Sirefef and later removed. I have a pretty good idea how to fix that, but I will wait for your directions.


Farbar Service Scanner Version: 09-06-2012
Ran by Lou (administrator) on 10-06-2012 at 20:23:57
Running from "C:\Documents and Settings\Lou\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

ATTENTION!=====> C:\WINDOWS\system32\Drivers\netbt.sys FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 10 June 2012 - 08:42 PM

Hi,

We need to find a replacement for NetBt.sys

please do the following:

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

netbt.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 10 June 2012 - 09:12 PM

CatByte,

Below is the results of the search for netbt.sys. Seems to be clean per MD5 check on VirusTotal. There is also a C:\i386\NETBT.SY_ which has MD5 of 5283d951fe9596543e17457b6bae87f9, modified 4/14/2008 and created 8/3/2008. It seems to be clean per VirusTotal as well.


Farbar Service Scanner Version: 09-06-2012
Ran by Lou (administrator) on 10-06-2012 at 21:50:51
Microsoft Windows XP Home Edition Service Pack 3 (X86)

************************************************
======== Search: "netbt.sys" =========

C:\WINDOWS\system32\dllcache\netbt.sys
[2009-04-15 09:23] - [2008-04-14 08:00] - 0162816 ___AC (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

====== End Of Search ======

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 10 June 2012 - 10:10 PM

OK

let's place a copy of that file where it needs to be, then run a reg fix

please run the following batch

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following text inside the codebox into Notepad:

@echo off
copy C:\WINDOWS\system32\dllcache\netbt.sys C:\WINDOWS\system32\Drivers\netbt.sys
del %0

Save the file as "copy.bat". Make sure to save it with the quotes.

Save it as file type "all files", save it to your desktop.

Double click on "copy.bat" to run it.

A small black window will flash, this is normal.


Now please run the following:


Following steps involve registry editing. Please create new restore point before proceeding
How to: http://support.microsoft.com/kb/948247


Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
  00,69,00,70,00,5f,00,7b,00,45,00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,\
  2d,00,39,00,43,00,31,00,35,00,2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,\
  00,39,00,43,00,2d,00,46,00,35,00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,\
  41,00,42,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
  00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,\
  36,00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,\
  00,2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,\
  33,00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
  00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,41,00,32,00,\
  37,00,34,00,44,00,35,00,42,00,38,00,2d,00,36,00,34,00,42,00,46,00,2d,00,34,\
  00,41,00,46,00,34,00,2d,00,39,00,43,00,45,00,31,00,2d,00,43,00,38,00,37,00,\
  34,00,35,00,31,00,31,00,38,00,41,00,35,00,36,00,32,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,45,\
  00,36,00,44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,\
  2d,00,34,00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,\
  00,32,00,34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,22,00,\
  00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,\
  00,73,00,57,00,61,00,6e,00,49,00,70,00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
  00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,36,00,\
  44,00,33,00,31,00,34,00,43,00,43,00,2d,00,39,00,43,00,31,00,35,00,2d,00,34,\
  00,35,00,46,00,46,00,2d,00,39,00,41,00,39,00,43,00,2d,00,46,00,35,00,32,00,\
  34,00,35,00,42,00,41,00,36,00,45,00,41,00,42,00,37,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,31,00,35,00,37,00,34,00,42,00,36,\
  00,36,00,36,00,2d,00,39,00,34,00,30,00,45,00,2d,00,34,00,41,00,41,00,31,00,\
  2d,00,38,00,45,00,33,00,42,00,2d,00,33,00,31,00,30,00,32,00,44,00,44,00,33,\
  00,39,00,42,00,42,00,43,00,31,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
  63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
  00,70,00,5f,00,7b,00,41,00,32,00,37,00,34,00,44,00,35,00,42,00,38,00,2d,00,\
  36,00,34,00,42,00,46,00,2d,00,34,00,41,00,46,00,34,00,2d,00,39,00,43,00,45,\
  00,31,00,2d,00,43,00,38,00,37,00,34,00,35,00,31,00,31,00,38,00,41,00,35,00,\
  36,00,32,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{1574B666-940E-4AA1-8E3B-3102DD39BBC1}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{A274D5B8-64BF-4AF4-9CE1-C8745118A562}]
"NameServerList"=hex(7):00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{E6D314CC-9C15-45FF-9A9C-F5245BA6EAB7}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000
"DhcpNameServerList"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,31,\
  00,33,00,33,00,2e,00,32,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
  00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
  00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
  01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.



Now reboot and let me know if you can now connect

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 11 June 2012 - 09:26 AM

CatByte,

Network is back up. I am responding from infected machine, finally! (Don't worry this password will be changed as soon as clean up is done. I created a temp password just for use on this computer.)

Just to let you know IE and Chrome are performing poorly. I suspect due to the infection still trying to intercept communications.

Let me know next step. I'm guessing we'll pick back up with latest instructions to run ComboFix.

Thanks again for all your help!

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:41 PM

Posted 11 June 2012 - 10:04 AM

Yes,

grab a fresh copy of ComboFix and give it a run (rename it again) (delete the copy you have)

ComboFix

(If you can't get it to run, please post a fresh FRST log)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 techmini

techmini
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 13 June 2012 - 12:30 PM

CatByte,

So I rebooted in safe mode. Deleted old combofix and downloaded new as svchost.exe.

When I ran it, it ran for over a day and it stuck extracting files at

Output folder: C:\32788R22FWJFW






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users