Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FBI Virus XP No Safe Mode


  • This topic is locked This topic is locked
27 replies to this topic

#1 Lily93

Lily93

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 03:10 AM

I've been having fun with this for about 12 hours now.  I do not have the ability to go into safe mode.  I have tried to be quick enough to do it when it is loading the command prompts option, but I can't get into it before the FBI screen pops up.  

I've tried booting from Kaspersky and have tried utilizing a Hirens CD.  That is normally a valuable tool, but it either has not been effective, or I have been trying for too long and I am messing something up.  

Thankfully, I leave my boot sequence to start from CD, so I currently have the AVG Rescue CD running.  I am really not sure what it is doing.  It appears to be scanning D instead of C.  I'm just letting it do what it wants.

What should I be looking for once this has ran?  And are there any particular tools that I should use after it?

Thanks in advance for any help.  It's been a long night and I appreciate any suggestions. :)

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 03:16 AM


Hello

Lets see if we can get this to run
  • Download OTLPE from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPEStd.exe
    http://ottools.noahdfear.net/OTLPEStd.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click imgbrn.png to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  • OTL should now start.
  • Push runscanbutton.png
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 03:23 AM

Thank you so much.  I will post back when I have done that.  It seems that this AVG is going to take a long time.



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 03:27 AM

I will be on my way home soon so I will check on you in 3-1/2 to 4 hours from now
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 12:58 PM

Hey Gringo,

 

I ended up stopping the AVG Rescue CD.  It wasn't done after 13 hours.  I did as you instructed.  However, I did not have the option of telling it that I wanted to load remote registry.  It didn't ask. 

 

##

 

OTL logfile created on: 4/30/2013 2:49:28 PM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 85.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.01 Gb Total Space | 3.83 Gb Free Space | 2.57% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 89.10 Gb Free Space | 19.13% Space Free | Partition Type: NTFS
Drive E: | 1396.60 Gb Total Space | 427.76 Gb Free Space | 30.63% Space Free | Partition Type: NTFS
Drive F: | 961.09 Mb Total Space | 0.05 Mb Free Space | 0.00% Space Free | Partition Type: FAT
Drive G: | 19.55 Mb Total Space | 6.10 Mb Free Space | 31.20% Space Free | Partition Type: FAT
Drive L: | 614.91 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet003
 
========== Win32 Services (SafeList) ==========
 
SRV - [2013/04/14 00:17:00 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/03/13 10:44:34 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/03/10 23:05:53 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto] -- D:\Program Files\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/02/28 19:25:34 | 000,161,384 | R--- | M] (Skype Technologies) [Auto] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/12/03 15:49:32 | 002,571,704 | ---- | M] (WIBU-SYSTEMS AG) [Auto] -- C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe -- (CodeMeter.exe)
SRV - [2012/11/19 17:03:24 | 000,489,256 | ---- | M] (Valve Corporation) [On_Demand] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/08/03 14:52:08 | 000,537,592 | ---- | M] (Cisco Systems, Inc.) [Auto] -- C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2011/09/27 15:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [On_Demand] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2010/10/05 16:28:12 | 001,060,352 | ---- | M] () [Auto] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe -- (WDFME)
SRV - [2010/10/05 16:27:52 | 000,484,352 | ---- | M] () [Auto] -- C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe -- (WDSC)
SRV - [2010/10/05 16:24:38 | 000,237,056 | ---- | M] (WDC) [Auto] -- C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe -- (WDDMService)
SRV - [2009/09/24 15:01:05 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/08/15 05:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2004/03/18 16:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand] --  -- (MRESP50)
DRV - File not found [Kernel | On_Demand] --  -- (MREMP50)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] --  -- (FIXUSTOR)
DRV - File not found [Kernel | On_Demand] --  -- (dgderdrv)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2012/09/20 00:35:36 | 000,181,344 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.)
DRV - [2012/09/20 00:35:36 | 000,083,168 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
DRV - [2012/08/03 14:38:56 | 000,023,976 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\vpnva.sys -- (vpnva)
DRV - [2012/08/03 14:38:06 | 000,057,256 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\acsmux.sys -- (acsmux)
DRV - [2012/08/03 14:38:06 | 000,038,440 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\acsint.sys -- (acsint)
DRV - [2011/09/02 02:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 02:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 02:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/11/14 15:49:54 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/11/08 23:21:18 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/08/01 19:36:26 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/08/01 19:36:20 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/05/06 17:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2006/09/21 16:39:16 | 000,105,344 | R--- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2006/09/21 15:39:16 | 000,105,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\System32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/09/12 22:27:00 | 004,381,184 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/09/08 21:35:50 | 000,048,640 | ---- | M] (Belkin) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2004/11/09 17:32:10 | 000,021,968 | ---- | M] (EnTech Taiwan) [Kernel | System] -- C:\WINDOWS\system32\drivers\PStrip.sys -- (PStrip)
DRV - [2002/11/20 19:45:50 | 000,002,218 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\vncdrv.sys -- (vncdrv)
DRV - [2001/12/19 12:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-7500-R5&ai=636E3D33353932323126706F3D35303237383441
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\LocalService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\QBDataServiceUser20_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AREA51-7500-R5&ai=636E3D33353932323126706F3D35303237383441
IE - HKU\QBDataServiceUser20_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\selena_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\selena_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\selena_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.96
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: D:\Program Files\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2013/03/07 14:50:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: D:\Program Files\components [2013/04/14 00:17:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: D:\Program Files\plugins [2013/04/20 20:44:57 | 000,000,000 | ---D | M]
 
[2009/10/01 08:00:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/10/01 08:06:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eivo95fn.default\extensions
[2009/10/01 08:06:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\eivo95fn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
File not found (No name found) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2013/03/07 14:50:18 | 000,000,000 | ---D | M] (RoboForm Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2010/12/29 12:07:07 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll
[2010/12/29 12:07:07 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol500.dll
 
O1 HOSTS File: ([2009/09/24 14:46:12 | 000,000,772 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1       activate.adobe.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - No CLSID value found.
O2 - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\selena_ON_C\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\selena_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\selena_ON_C\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AlienFX Controller] C:\Program Files\Alienware\Alienware AlienFX\AlienwareAlienFXController.exe (Alienware Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe (HP)
O4 - HKLM..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NWEReboot]  File not found
O4 - HKLM..\Run: [nwiz]  File not found
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [QuickTime Task] D:\Program Files\qttask.exe (Apple Inc.)
O4 - HKU\Administrator_ON_C..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\selena_ON_C..\Run: [AdobeBridge]  File not found
O4 - HKU\selena_ON_C..\Run: [F.lux] C:\Documents and Settings\selena\Local Settings\Apps\F.lux\flux.exe ()
O4 - HKU\selena_ON_C..\Run: [icq] C:\Documents and Settings\selena\Application Data\ICQM\icq.exe (ICQ)
O4 - HKU\selena_ON_C..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk = X:\I386\SYSTEM32\REGSVR32.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\QBDataServiceUser20_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\selena_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1356555632250 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\cf - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} -  File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} -  File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} -  File not found
O20 - HKLM Winlogon: Shell - (regsvr32 /n /i /s "C:\Documents and Settings\selena\Local Settings\Application Data\kwlpaal.mvg") - C:\WINDOWS\System32\regsvr32.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) -  File not found
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -  File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll -  File not found
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll -  File not found
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll -  File not found
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll -  File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll -  File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll -  File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll -  File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll -  File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll -  File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll -  File not found
O24 - Desktop WallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: B:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  File not found
O29 - HKLM SecurityProviders - (msapsspc.dll) -  File not found
O29 - HKLM SecurityProviders - (schannel.dll) -  File not found
O29 - HKLM SecurityProviders - (digest.dll) -  File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/02 21:02:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/12/26 22:07:12 | 000,000,197 | ---- | M] () - F:\AutoRun.inf -- [ FAT ]
O32 - AutoRun File - [2010/02/24 16:07:08 | 000,000,181 | ---- | M] () - G:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2007/06/11 08:42:54 | 000,307,200 | ---- | M] (CustomCD.us) - G:\Autorun_CCD.exe -- [ FAT ]
O32 - AutoRun File - [2009/06/18 17:12:18 | 000,000,088 | R--- | M] () - L:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/04/30 02:03:01 | 000,000,000 | -HSD | C] -- C:\found.001
[2013/04/27 19:22:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\selena\Desktop\prom
[2013/04/26 23:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\selena\Desktop\banners
[2013/04/20 20:45:05 | 000,465,280 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2013/04/20 20:44:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[2013/04/20 20:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\Coupons
[2013/04/14 18:34:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\selena\My Documents\Wizards of the Coast
[2013/04/14 18:32:11 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_43.dll
[2013/04/14 18:32:11 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_7.dll
[2013/04/14 18:32:11 | 000,239,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_7.dll
[2013/04/14 18:32:11 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_5.dll
[2013/04/14 18:32:10 | 001,998,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_43.dll
[2013/04/14 18:32:10 | 001,868,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_43.dll
[2013/04/14 18:32:10 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_43.dll
[2013/04/14 18:32:10 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_43.dll
[2013/04/14 18:32:09 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2013/04/14 18:32:09 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2013/04/14 18:32:09 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2013/04/14 18:32:09 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2013/04/14 18:32:08 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2013/04/14 18:32:08 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2013/04/14 18:32:07 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2013/04/14 18:32:07 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2013/04/14 18:32:06 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2013/04/14 18:32:06 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2013/04/14 18:32:05 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2013/04/14 18:32:05 | 001,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2013/04/14 18:32:05 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2013/04/14 18:32:05 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2013/04/14 18:32:04 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2013/04/14 18:32:04 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2013/04/14 18:32:04 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2013/04/14 18:32:04 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2013/04/14 18:32:03 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2013/04/14 18:32:03 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2013/04/14 18:32:03 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2013/04/14 18:32:03 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2013/04/14 18:32:03 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2013/04/14 18:32:02 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2013/04/14 18:32:02 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2013/04/14 18:32:02 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2013/04/14 18:32:02 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2013/04/14 18:32:01 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2013/04/14 18:32:01 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2013/04/14 18:32:01 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2013/04/14 18:32:01 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2013/04/14 18:32:00 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2013/04/14 18:32:00 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2013/04/14 18:32:00 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2013/04/14 18:31:59 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2013/04/14 18:31:59 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2013/04/14 18:31:59 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2013/04/14 18:31:59 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2013/04/14 18:31:58 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2013/04/14 18:31:58 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2013/04/14 18:31:58 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2013/04/14 18:31:57 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2013/04/14 18:31:57 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2013/04/14 18:31:57 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2013/04/14 18:31:57 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2013/04/14 18:31:56 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2013/04/14 18:31:56 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2013/04/14 18:31:56 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2013/04/14 18:31:55 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2013/04/14 18:31:55 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2013/04/14 18:31:55 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2013/04/14 18:31:55 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2013/04/14 18:31:54 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2013/04/14 18:31:54 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2013/04/14 18:31:52 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2013/04/14 18:31:52 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2013/04/14 18:31:51 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2013/04/14 18:31:51 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2013/04/14 18:31:50 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2013/04/14 18:31:50 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2013/04/14 18:31:50 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2013/04/14 18:31:48 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2013/04/14 18:31:48 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2013/04/14 18:31:47 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2013/04/14 18:31:46 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2013/04/14 18:31:46 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2013/04/14 18:31:46 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2013/04/14 18:31:46 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2013/04/14 18:31:45 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2013/04/14 18:31:45 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2013/04/14 18:31:45 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2013/04/14 18:31:44 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2013/04/14 18:31:33 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2013/04/14 18:31:32 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2013/04/14 18:31:32 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2013/04/14 18:31:31 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2013/04/14 18:31:31 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2013/04/14 18:31:30 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2013/04/14 18:31:30 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2013/04/14 18:31:29 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2013/04/14 18:31:29 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2013/04/14 18:31:28 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2013/04/14 18:31:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2013/04/13 23:46:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2013/04/13 23:46:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/04/30 13:37:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/30 13:36:22 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/30 01:56:18 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\NetworkService\TMP00000001700F4E84CD450611
[2013/04/29 22:11:00 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/04/29 16:44:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/04/29 15:35:52 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\selena\Local Settings\Application Data\kwlpaal.mvg
[2013/04/29 15:35:51 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\wfjhznz.sej
[2013/04/29 15:35:51 | 000,000,583 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk
[2013/04/29 15:35:51 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2013/04/29 13:53:14 | 000,001,792 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\avatar.aspx
[2013/04/29 11:36:50 | 000,163,049 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\2.jpg
[2013/04/29 11:33:27 | 000,102,268 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\1.jpg
[2013/04/28 04:52:48 | 000,000,032 | ---- | M] () -- C:\WINDOWS\qpg.INI
[2013/04/27 15:45:00 | 000,033,536 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\21292_502286216486102_1231748412_n.jpg
[2013/04/25 22:27:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/04/21 16:05:25 | 000,000,036 | -H-- | M] () -- C:\WINDOWS\System32\f9t.dat
[2013/04/20 22:18:37 | 000,525,091 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\IMG_3278.JPG
[2013/04/20 22:16:09 | 001,382,200 | ---- | M] () -- C:\Documents and Settings\selena\Desktop\IMG_3270.JPG
[2013/04/20 20:45:05 | 000,465,280 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2013/04/20 20:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[2013/04/20 12:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Logitech
[2013/04/20 12:45:57 | 000,016,400 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LNonPnP.sys
[2013/04/16 19:59:33 | 017,162,240 | ---- | M] () -- C:\Documents and Settings\selena\My Documents\test-query.mdb
[2013/04/16 16:10:55 | 000,000,064 | ---- | M] () -- C:\Documents and Settings\selena\My Documents\test-query.ldb
[2013/04/16 16:10:42 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Access.lnk
[2013/04/15 16:52:29 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2013/04/13 23:46:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
[2013/04/11 08:37:30 | 002,928,184 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/04/11 08:33:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/04/04 13:30:43 | 000,002,487 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2013/04/02 06:33:22 | 000,237,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/04/30 01:56:18 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\NetworkService\TMP00000001700F4E84CD450611
[2013/04/29 15:35:52 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\selena\Local Settings\Application Data\kwlpaal.mvg
[2013/04/29 15:35:51 | 000,055,808 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\wfjhznz.sej
[2013/04/29 15:35:51 | 000,000,583 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk
[2013/04/29 13:53:11 | 000,001,792 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\avatar.aspx
[2013/04/29 11:36:50 | 000,163,049 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\2.jpg
[2013/04/29 11:33:26 | 000,102,268 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\1.jpg
[2013/04/27 15:44:58 | 000,033,536 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\21292_502286216486102_1231748412_n.jpg
[2013/04/20 22:16:09 | 001,382,200 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\IMG_3270.JPG
[2013/04/20 22:15:35 | 000,525,091 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\IMG_3278.JPG
[2013/04/16 16:10:55 | 000,000,064 | ---- | C] () -- C:\Documents and Settings\selena\My Documents\test-query.ldb
[2013/03/10 03:15:32 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2012/12/29 22:25:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/26 18:15:29 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2012/11/28 15:17:18 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2012/11/28 15:17:18 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2012/11/28 15:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2012/11/28 15:17:18 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2012/02/26 05:23:22 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/04/14 14:39:31 | 000,025,713 | ---- | C] () -- C:\WINDOWS\CSTBox.INI
[2011/04/10 15:04:47 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\selena\g2mdlhlpx.exe
[2011/01/17 14:46:32 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/11/28 15:04:36 | 001,701,106 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-500793146-337190469-434494655-1005-0.dat
[2010/11/28 15:04:36 | 000,984,742 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/11/15 17:34:45 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2010/11/15 17:34:45 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2010/11/15 17:34:45 | 000,000,021 | ---- | C] () -- C:\WINDOWS\SurCode.INI
[2009/12/27 13:11:37 | 000,213,680 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/20 17:22:33 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/12/20 17:22:33 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/12/16 12:23:50 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\selena\Application Data\setup_ldm.iss
[2009/11/14 17:03:05 | 000,000,111 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/11/10 15:48:18 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/16 08:54:43 | 000,000,232 | ---- | C] () -- C:\WINDOWS\System32\RfmDat2.dat
[2009/10/02 19:55:36 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\UMonit.exe
[2009/10/02 19:55:36 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\ustor.dll
[2009/10/01 07:58:31 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2009/09/29 10:06:10 | 000,143,360 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/09/29 10:06:10 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/09/26 11:58:15 | 000,146,432 | ---- | C] () -- C:\Documents and Settings\selena\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/24 17:37:44 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\f9t.dat
[2009/09/24 17:04:08 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\selena\Local Settings\Application Data\fusioncache.dat
[2009/09/24 15:42:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\qpg.INI
[2009/09/24 15:38:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/24 14:30:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/24 14:16:19 | 000,094,289 | ---- | C] () -- C:\WINDOWS\HPHins03.dat
[2009/09/24 14:16:19 | 000,002,655 | ---- | C] () -- C:\WINDOWS\hphmdl03.dat
[2009/09/24 14:05:22 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2008/05/26 22:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 22:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/07/05 13:35:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/06/14 15:39:31 | 001,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2007/06/14 15:39:27 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/14 15:39:27 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/14 15:39:20 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/06/14 15:39:19 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/14 15:39:16 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/06/14 15:39:10 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/14 15:39:04 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2007/06/14 15:38:50 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2007/06/14 15:38:41 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2007/01/17 15:03:44 | 000,011,877 | R--- | C] () -- C:\WINDOWS\System32\drivers\TUSB3410.BIN
[2006/11/02 21:04:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/11/02 20:59:17 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/11/02 12:54:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/11/02 12:53:04 | 002,928,184 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/31 11:58:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/08/31 11:58:28 | 000,524,294 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/08/31 11:58:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/08/31 11:58:28 | 000,096,100 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/08/31 11:58:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/08/31 11:58:27 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/08/31 11:58:27 | 000,004,742 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/08/31 11:58:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/08/31 11:58:06 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/08/31 11:58:05 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/08/31 11:57:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2005/08/31 11:57:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2005/08/31 11:57:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2005/08/31 11:57:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2005/08/31 11:57:37 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\a1skrtc.dll
[2005/08/31 11:57:37 | 000,000,342 | ---- | C] () -- C:\WINDOWS\System32\m4rzlhd.dll
[2005/08/31 11:57:37 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2005/08/31 11:57:37 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2005/08/31 11:57:37 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\bwi1zn4.dll
[2005/08/31 11:57:24 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/08/31 11:57:13 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/08/31 11:56:39 | 000,002,372 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/06/07 00:32:52 | 000,009,505 | ---- | C] () -- C:\WINDOWS\System32\hphmon06.dat
 
========== LOP Check ==========
 
[2013/02/11 08:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Amazon
[2012/08/10 21:21:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Azureus
[2013/01/08 19:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Canon
[2010/12/29 12:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Catalina Marketing Corp
[2012/03/25 19:36:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\com.ynab.YNAB3.LiveCaptive.9C763150EFAB05FD2A2B78705C7A54E2FCDDE07D.1
[2013/01/30 12:26:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\ElevatedDiagnostics
[2009/09/24 16:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\GlobalSCAPE
[2009/09/24 16:43:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\ICQ
[2012/12/19 15:18:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\ICQ-Profile
[2013/03/08 15:58:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\ICQM
[2011/03/05 20:54:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Imagenomic
[2010/05/18 09:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\InterTrust
[2013/04/06 18:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\jStrip
[2009/09/27 23:11:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Leadertech
[2011/06/03 15:31:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\NCH Swift Sound
[2013/03/10 03:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Notepad++
[2012/03/14 21:48:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\OpenOffice.org
[2010/04/06 13:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Opera
[2012/05/31 15:05:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Oracle
[2009/11/29 04:20:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Publish Providers
[2012/12/26 23:21:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\RoboForm
[2013/02/22 01:21:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Samsung
[2009/11/29 04:20:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Sony
[2012/10/05 14:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Stamps.com Internet Postage
[2010/12/15 09:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Trillian
[2011/05/03 22:18:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2013/02/02 19:14:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\uTorrent
[2010/05/11 12:20:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Western Digital
[2012/12/26 18:15:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Windows Desktop Search
[2012/12/27 02:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\selena\Application Data\Windows Search
[2013/03/12 20:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2011/01/24 10:26:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/10/29 21:01:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMMYY
[2012/04/21 18:38:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2009/09/24 17:47:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2012/12/03 14:18:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco
[2009/11/14 17:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/09/24 16:15:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2010/11/15 17:34:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Minnetonka Audio Software
[2011/05/11 08:00:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2013/02/17 00:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Retrospect
[2009/09/24 15:55:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2012/12/27 02:09:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2011/05/31 00:18:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/11/29 04:10:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2009/11/14 17:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2009/09/28 13:58:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\VertusTech
[2010/05/11 12:35:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WD_SmartWareCommon
[2010/11/28 14:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital
[2010/01/05 09:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/05/22 15:49:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/30 13:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2012/10/05 14:15:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{80E49840-FEC9-4009-B2F2-83DD9B68A990}
[2011/09/20 14:45:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\wavepadShakeIcon.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 3552 bytes -> C:\WINDOWS\alienware logo_slvr.jpg:Q30lsldxJoudresxAaaqpcawXc
< End of report >
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 02:16 PM


Hello Lily93

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    [2013/04/29 15:35:52 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\selena\Local Settings\Application Data\kwlpaal.mvg
    [2013/04/29 15:35:51 | 000,055,808 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\wfjhznz.sej
    [2013/04/29 15:35:51 | 000,000,583 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk = X:\I386\SYSTEM32\REGSVR32.EXE (Microsoft Corporation)
    [2013/04/29 11:36:50 | 000,163,049 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\2.jpg
    [2013/04/29 11:33:26 | 000,102,268 | ---- | C] () -- C:\Documents and Settings\selena\Desktop\1.jpg
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 03:01 PM

========== OTL ==========
C:\Documents and Settings\selena\Local Settings\Application Data\kwlpaal.mvg moved successfully.
C:\Documents and Settings\All Users\Application Data\wfjhznz.sej moved successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk moved successfully.
File move failed. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.lnk scheduled to be moved on reboot.
File move failed. X:\I386\SYSTEM32\REGSVR32.EXE scheduled to be moved on reboot.
C:\Documents and Settings\selena\Desktop\2.jpg moved successfully.
C:\Documents and Settings\selena\Desktop\1.jpg moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========
Error: Unable to interpret <[emptyjava]> in the current context!
 
[EMPTYFLASH]
 
User: Administrator
->Temp folder emptied: 587894 bytes
->Temporary Internet Files folder emptied: 165822 bytes
->FireFox cache emptied: 21816919 bytes
->Flash cache emptied: 385 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32983 bytes
->Flash cache emptied: 58264 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 49554 bytes
 
User: NetworkService
->Temp folder emptied: 820044 bytes
->Temporary Internet Files folder emptied: 33186 bytes
 
User: QBDataServiceUser20
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: selena
->Temp folder emptied: 992406065 bytes
->Temporary Internet Files folder emptied: 306705677 bytes
->Java cache emptied: 4292068 bytes
->FireFox cache emptied: 418220633 bytes
->Google Chrome cache emptied: 124647739 bytes
->Opera cache emptied: 2259216 bytes
->Flash cache emptied: 4933770 bytes
 
Total Flash Files Cleaned = 1,790.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 04302013_164604
 



#8 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 03:10 PM

I removed that CD, and tried to just boot the computer normally.  It seems to have loaded windows very, very slowly.  I'm not actually sure that it is going to do anything else.  I have a blue screen and can move my cursor.  The desktop isn't loading, but neither is the FBI screen.



#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 05:20 PM

did the desktop ever load?

can you open task manager?

Ctrl - Alt - Delete


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 05:23 PM

No, the desktop never did load.  I didn't know if it was potentially bad to leave it on, so I shut down. After reading your post, I have just re-started, and can confirm that w/ c+alt+del I can open the task manager.



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 08:58 PM

open task manager and select file - new task and type in - explorer.exe

let me know if the desktop comes back
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 09:03 PM

Not the graphical icon based desktop, but I can get to my documenets, etc in WinExplorer.



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 09:19 PM


Hello Lily93

OK put this on a pendrive and then run it on the infected computer

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Lily93

Lily93
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:01 AM

Posted 30 April 2013 - 10:47 PM

I did not encoutner any problems running Combofix.  I have a graphical desktop now.  I can access the internet.  I shut down, and then restarted. I did not experience any difficulties with the re-start.  It did ask to install the Recovery Console.

 

 

 

ComboFix 13-04-29.01 - selena 05/01/2013   0:37.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1520 [GMT -4:00]
Running from: c:\documents and settings\selena\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\settings.bin
c:\documents and settings\selena\g2mdlhlpx.exe
c:\documents and settings\selena\Recent\Thumbs.db
c:\windows\system32\prsgrc.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-01 to 2013-05-01  )))))))))))))))))))))))))))))))
.
.
2013-05-01 04:32 . 2013-05-01 04:32    29904    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F084147A-0839-4BBC-A7CC-8F672987D997}\MpKsl3340f33f.sys
2013-04-30 22:19 . 2013-04-10 03:08    6906960    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F084147A-0839-4BBC-A7CC-8F672987D997}\mpengine.dll
2013-04-30 20:46 . 2011-07-13 02:55    2237440    -c--a-r-    C:\OTLPE.exe
2013-04-30 20:46 . 2013-04-30 20:46    --------    dc----w-    C:\_OTL
2013-04-30 06:03 . 2013-04-30 06:03    --------    d-----w-    C:\found.001
2013-04-29 10:21 . 2013-04-10 03:08    6906960    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-21 00:45 . 2013-04-21 00:45    465280    ----a-r-    c:\windows\system32\cpnprt2win32.cid
2013-04-21 00:44 . 2013-04-21 00:44    --------    d-----w-    c:\program files\Coupons
2013-04-20 16:46 . 2013-04-20 16:46    53248    ----a-r-    c:\documents and settings\selena\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-04-14 22:31 . 2008-05-30 18:17    25608    ----a-w-    c:\windows\system32\X3DAudio1_4.dll
2013-04-14 03:46 . 2013-04-14 03:46    --------    d-----w-    c:\program files\Common Files\Steam
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-20 16:45 . 2010-05-20 13:07    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2013-04-02 10:33 . 2012-12-26 23:30    237088    ------w-    c:\windows\system32\MpSigStub.exe
2013-03-13 14:44 . 2012-04-03 16:40    693976    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-03-13 14:44 . 2011-05-28 02:46    73432    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 03:05 . 2013-03-11 03:06    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-03-11 03:05 . 2013-03-11 03:06    143872    ----a-w-    c:\windows\system32\javacpl.cpl
2013-03-11 03:05 . 2012-05-31 19:05    861088    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-03-11 03:05 . 2010-05-03 10:34    782240    ----a-w-    c:\windows\system32\deployJava1.dll
2013-03-10 07:15 . 2013-03-10 07:15    2560    ----a-w-    c:\windows\_MSRSTRT.EXE
2013-03-08 08:36 . 2005-08-31 15:59    293376    ----a-w-    c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2005-08-31 15:58    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2005-08-31 15:58    916480    ----a-w-    c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2005-08-31 15:58    43520    ------w-    c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2005-08-31 15:57    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2005-08-31 15:58    1867264    ----a-w-    c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2005-08-31 15:57    385024    ------w-    c:\windows\system32\html.iec
2013-02-27 07:56 . 2006-11-03 00:58    2067456    ----a-w-    c:\windows\system32\mstscax.dll
2013-02-12 00:32 . 2008-04-13 18:56    12928    ------w-    c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2005-08-31 15:58    12928    ----a-w-    c:\windows\system32\drivers\usb8023.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"icq"="c:\documents and settings\selena\Application Data\ICQM\icq.exe" [2013-03-08 27453288]
"F.lux"="c:\documents and settings\selena\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2013-03-07 109784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlienFX Controller"="c:\program files\Alienware\Alienware AlienFX\AlienwareAlienFXController.exe" [2007-01-29 327680]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-04-20 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="d:\program files\iTunesHelper.exe" [2013-02-20 152392]
"QuickTime Task"="d:\program files\qttask.exe" [2012-10-25 421888]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OTL"="C:\OTLPE.exe" [2011-07-13 2237440]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17    64592    ------w-    c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WDDMStatus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
backup=c:\windows\pss\WDDMStatus.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cisco AnyConnect Secure Mobility Agent for Windows]
2012-08-03 18:52    685048    ------w-    c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 17:38    49152    ------w-    c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25    6595928    ----a-w-    d:\progra~1\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Documents and Settings\\selena\\Application Data\\ICQM\\icq.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"d:\\Program Files\\iTunes.exe"=
"d:\\Program Files\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Program Files\\steam\\Steam.exe"=
"d:\\Program Files\\steam\\SteamApps\\common\\Magic 2013\\DotP_D13.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"2546:UDP"= 2546:UDP:knock 1
"6325:UDP"= 6325:UDP:knock 2
"8469:UDP"= 8469:UDP:knock 3
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/14/2009 3:49 PM 717296]
R1 MpKsl3340f33f;MpKsl3340f33f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F084147A-0839-4BBC-A7CC-8F672987D997}\MpKsl3340f33f.sys [5/1/2013 12:32 AM 29904]
R1 PStrip;PStrip;c:\windows\system32\drivers\PStrip.sys [11/9/2004 5:32 PM 21968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [11/14/2009 3:53 PM 8576]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2/16/2013 8:49 PM 2571704]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [12/16/2009 12:22 PM 12184]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [8/3/2012 2:52 PM 537592]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/5/2010 4:24 PM 237056]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [10/5/2010 4:28 PM 1060352]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [10/5/2010 4:27 PM 484352]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [11/28/2010 2:50 PM 11520]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 7:25 PM 161384]
S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [12/3/2012 2:18 PM 38440]
S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [12/3/2012 2:18 PM 57256]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [12/29/2012 10:39 PM 83168]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 FIXUSTOR;FIXUSTOR;c:\windows\system32\DRIVERS\fixustor.sys --> c:\windows\system32\DRIVERS\fixustor.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [12/29/2012 10:39 PM 181344]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL3340F33F
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 14:44]
.
2013-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]
.
2013-05-01 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 16:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\selena\Application Data\Mozilla\Firefox\Profiles\a8yv32kw.default\
FF - prefs.js: browser.startup.homepage - hxxp://selenajeanette.com/links/home.html
FF - ExtSQL: !HIDDEN! 2009-09-27 23:45; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-Intuit SyncManager - c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
MSConfigStartUp-Omnipage - c:\program files\ScanSoft\OmniPageSE\opware32.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\selena\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-01 01:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-500793146-337190469-434494655-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e8,b9,32,70,c2,73,e6,d5,8f,bb,13,ed,d3,fc,fc,1e,2d,7e,7b,eb,45,
   9f,b0,bb,1b,17,5a,bc,12,14,84,e2,25,5e,4d,d0,82,f4,d4,43,31,09,c2,fe,14,60,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\08\06\0b\00!3g"
.
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e8,b9,32,70,c2,73,e6,d5,8f,bb,13,ed,d3,fc,fc,1e,2d,7e,7b,eb,45,
   9f,b0,bb,1b,17,5a,bc,12,14,84,e2,25,5e,4d,d0,82,f4,d4,43,31,09,c2,fe,14,60,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2013-05-01  01:34:57
ComboFix-quarantined-files.txt  2013-05-01 05:34
.
Pre-Run: 5,771,980,800 bytes free
Post-Run: 121,972,043,776 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 87F2470467A9B1F6A3DF29EEEB2B90D0
 



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 30 April 2013 - 11:02 PM


Hello Lily93

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users