Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/DOJ Ransomware, Getting Repeated Blue Screens


  • This topic is locked This topic is locked
28 replies to this topic

#1 Marcel85

Marcel85

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 April 2013 - 11:22 AM

I definitely have the DOJ ransomware.   The computer is totally locked

up soon after a user logs in to windows.  Whenever I try and enter safe mode or safe mode with command prompt or safe mode with networking, it immediately goes to blue screen of death.  I have tried to use multiple instructions from multiple sites to get rid of but nothing works.  I even used a virus checker boot disk (Kaspersky Rescue Disk I found) that was successful in opening.  It did a scan and found/deleted some malware, adware, trojans, etc. files but when I rebooted normally, malware remained intact.  The instructions posted here do not work.  The Hitman option listed on this site (Bleeping) does not work because I cannot use a USB to boot with.  I have a USB port but it's just not an option to boot with.  And there is no option to put the Hitman on a CD.  Also, since I am downloading it from my new computer, it will not even let me open the 32bit version (that I need for my old infected computer), because it says I have 64 bit system.  My infected computer is a DELL with XP home.  I do not have my own boot disk.  I have no screen shots since my computer is basically inop.  I could take pictures but it is the same as the one show here,

http://www.bleepingcomputer.com/virus-removal/remove-department-of-justice-ransomware

 

When a user logs in, a few automatic processes start and that seems to hold up the ransomware a bit, but after a few seconds the ransom screen flashes and appears to cover everything but the task bar, but then it flashes again after a few seconds and covers all.  I have disconnected from the internet.  It has no affect.

 

Again, any solution requiring a boot will need to be delivered via cd since there is not an option to use a USB for booting in the boot menu.

 

Any help would be appreciated.  I am at the end of my rope.

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 30 April 2013 - 12:43 PM


Hello

Lets see if we can get this to run
  • Download OTLPE from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPEStd.exe
    http://ottools.noahdfear.net/OTLPEStd.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click imgbrn.png to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  • OTL should now start.
  • Push runscanbutton.png
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 April 2013 - 04:51 PM

Hello Gringo,

 

Thanks for the quick turn on my question.  Did everything you said to and here it is below.

 

Is it ok to leave the bad computer in the same state, with the OTLPE running?  Or should i shut down?

 

M

 

---------------------------------------------------------------------------

 

OTL logfile created on: 4/30/2013 7:37:16 PM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
511.00 Mb Total Physical Memory | 283.00 Mb Available Physical Memory | 55.00% Memory free
459.00 Mb Paging File | 335.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 7.94 Gb Free Space | 10.66% Space Free | Partition Type: NTFS
Drive D: | 502.84 Mb Total Space | 502.80 Mb Free Space | 99.99% Space Free | Partition Type: FAT
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand] --  -- (x10nets)
SRV - File not found [Disabled] --  -- (HidServ)
SRV - File not found [On_Demand] --  -- (AppMgmt)
SRV - [2009/11/16 10:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 10:04:30 | 000,735,960 | ---- | M] (ESET) [Auto] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/01/10 22:38:34 | 000,181,312 | ---- | M] () [Auto] -- C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe -- (ScsiAccess)
SRV - [2008/01/07 00:40:31 | 000,016,936 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand] -- C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe -- (GoToAssist)
SRV - [2005/04/27 15:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2002/07/23 06:45:12 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | System] --  -- (TDSSserv.sys)
DRV - File not found [Kernel | On_Demand] --  -- (SDDMI2)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - [2013/04/29 13:49:19 | 000,004,224 | ---- | M] () [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\RDPCDD.SYS -- (RDPCDD)
DRV - [2010/01/08 09:13:12 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwndis.sys -- (Epfwndis)
DRV - [2009/12/18 16:02:26 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfw.sys -- (epfw)
DRV - [2009/11/16 10:06:48 | 000,055,768 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwtdi.sys -- (epfwtdi)
DRV - [2009/11/16 10:03:36 | 000,108,792 | ---- | M] (ESET) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\ehdrv.sys -- (ehdrv)
DRV - [2009/11/16 09:56:12 | 000,116,520 | ---- | M] (ESET) [File_System | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\eamon.sys -- (eamon)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2007/03/22 13:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\elagopro.sys -- (elagopro)
DRV - [2007/03/22 13:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\elaunidr.sys -- (elaunidr)
DRV - [2006/10/18 04:00:00 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/10/18 04:00:00 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/03/22 23:00:57 | 001,034,752 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2005/02/01 16:46:00 | 000,056,320 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atineuxx.sys -- (ATITUNEP)
DRV - [2005/02/01 16:45:12 | 000,074,240 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinesxx.sys -- (ATIXSAudio)
DRV - [2005/02/01 16:42:58 | 000,165,888 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinevxx.sys -- (atinevxx)
DRV - [2005/02/01 16:41:58 | 000,014,848 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinpdxx.sys -- (PCDCODEC)
DRV - [2005/02/01 16:41:40 | 000,015,360 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinmdxx.sys -- (MVDCODEC)
DRV - [2005/02/01 16:37:46 | 000,055,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinraxx.sys -- (ativraxx)
DRV - [2004/04/14 21:22:46 | 000,105,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atinrvxx.sys -- (atinrvxx)
DRV - [2004/01/27 15:13:45 | 000,003,840 | ---- | M] (Elaborate Bytes) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\ElbyDelay.sys -- (ElbyDelay)
DRV - [2003/12/17 13:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\lmouflt2.sys -- (LMouFlt2)
DRV - [2003/12/17 13:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\L8042PR2.SYS -- (L8042PR2)
DRV - [2003/12/17 13:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\LHIDFLT2.SYS -- (LHidFlt2)
DRV - [2003/12/15 14:28:46 | 000,257,872 | ---- | M] (Jungo) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\atirwvd.sys -- (ATI Remote Wonder II)
DRV - [2003/12/04 12:33:20 | 000,011,264 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\asapiW2k.sys -- (ASAPIW2k)
DRV - [2003/04/19 04:32:04 | 000,004,736 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\tandpl.sys -- (tandpl)
DRV - [2003/03/28 16:31:54 | 000,010,761 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\x10uif.sys -- (X10UIF)
DRV - [2003/03/02 21:44:26 | 000,007,552 | ---- | M] () [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\enodpl.sys -- (enodpl)
DRV - [2003/01/19 20:14:46 | 000,240,640 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2003/01/19 20:14:46 | 000,206,464 | ---- | M] (Roxio) [File_System | System] -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/01/19 20:14:46 | 000,134,426 | ---- | M] (Roxio) [Kernel | System] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/01/19 20:14:46 | 000,030,406 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/01/19 20:14:46 | 000,025,674 | ---- | M] (Roxio) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/08/08 16:51:32 | 000,038,951 | ---- | M] (Sony Corporation) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\NETMDUSB.sys -- (NETMDUSB)
DRV - [2002/08/07 16:00:10 | 000,083,360 | ---- | M] (Generic) [Kernel | Boot] -- C:\WINDOWS\SYSTEM32\DRIVERS\stlth317.sys -- (Stlth317)
DRV - [2002/06/13 15:08:46 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys -- (pfc)
DRV - [2002/04/09 14:44:22 | 000,039,552 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\ser2pl.sys -- (Ser2pl)
DRV - [2001/10/12 03:33:11 | 000,018,024 | R--- | M] (   ) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\LXARScan.sys -- (LXARScan)
DRV - [2001/09/13 19:09:48 | 000,777,088 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\emu10k1f.sys -- (emu10k) Creative SB Live! Value (WDM)
DRV - [2001/09/03 18:14:38 | 000,025,454 | ---- | M] (Realtek Semiconductor Corporation                                                ) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys -- (rtl8139)
DRV - [2001/08/31 14:37:58 | 000,036,992 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfman.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/22 09:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 14:52:24 | 000,038,144 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled] -- C:\WINDOWS\System32\DRIVERS\hpt3xx.sys -- (hpt3xx)
DRV - [2001/08/17 14:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 13:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2001/07/25 12:58:28 | 000,584,336 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\hsf_cnxt.sys -- (winachsf)
DRV - [2001/07/18 14:07:00 | 000,080,449 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\spkpnt.sys -- (SpeakerPhone)
DRV - [2001/07/18 14:06:40 | 000,426,783 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\k56nt.sys -- (K56)
DRV - [2001/07/18 14:06:12 | 000,127,405 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\fsksnt.sys -- (Fsks)
DRV - [2001/07/18 14:05:26 | 000,217,019 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\faxnt.sys -- (SoftFax)
DRV - [2001/07/18 14:04:26 | 000,056,607 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\tonesnt.sys -- (Tones)
DRV - [2001/07/18 14:04:04 | 000,310,899 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\fallback.sys -- (Fallback)
DRV - [2001/07/18 14:01:56 | 000,077,426 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\basic2.sys -- (basic2)
DRV - [2001/07/18 14:01:38 | 000,067,654 | ---- | M] (Conexant Systems) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\rksample.sys -- (Rksample)
DRV - [2001/07/18 14:01:20 | 000,534,125 | ---- | M] (Conexant Systems) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\DRIVERS\v124nt.sys -- (V124)
DRV - [2001/07/11 12:34:52 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctlface.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/06/20 18:32:54 | 000,004,272 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\bvrp_pci.sys -- (bvrp_pci)
DRV - [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto] -- C:\WINDOWS\SYSTEM32\PfModNT.sys -- (PfModNT)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/lobby/search.asp
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator.D136XM11_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKU\Administrator.D136XM11_ON_C\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com/
IE - HKU\Administrator.D136XM11_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.live.com/
IE - HKU\Administrator.D136XM11_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\M_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\M_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\M_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\M_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = www.live.com/
IE - HKU\S_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 2.0.0.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008/12/28 00:28:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 2.0.0.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/17 20:05:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/02/24 23:33:22 | 000,000,000 | ---D | M]
 
[2011/02/17 20:04:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/17 20:04:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}(2)
[2008/01/07 00:46:55 | 000,000,000 | ---D | M] (Talkback) -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2007/11/28 15:12:01 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2007/11/28 15:12:02 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2007/11/28 15:12:03 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2007/11/28 15:12:04 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2007/11/28 15:12:04 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
 
O1 HOSTS File: ([2007/09/25 06:26:58 | 000,000,740 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - SOFTWARE - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\WebBrowser: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\M_ON_C\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\ShellBrowser: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\WebBrowser: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\WebBrowser: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - No CLSID value found.
O3 - HKU\S_ON_C\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQINIT.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\atidtct.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [BillMinder]  File not found
O4 - HKLM..\Run: [CSV7P91]  File not found
O4 - HKLM..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe ()
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CTNotify.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Hilgraeve, Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [iGiveShoppingWindow0]  File not found
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe (PureEdge™ Solutions Inc.)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe ()
O4 - HKLM..\Run: [PrinTray]  File not found
O4 - HKLM..\Run: [QuickenSEMessage]  File not found
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [WorkFlow]  File not found
O4 - HKU\Administrator.D136XM11_ON_C..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\M_ON_C..\Run: [ATI Launchpad] C:\Program Files\ATI Multimedia\main\LaunchPd.exe (ATI Technologies Inc.)
O4 - HKU\M_ON_C..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S_ON_C..\Run: [ATI Launchpad] C:\Program Files\ATI Multimedia\main\LaunchPd.exe (ATI Technologies Inc.)
O4 - HKU\S_ON_C..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S_ON_C..\Run: [Microsoft Works Update Detection]  File not found
O4 - HKU\S_ON_C..\Run: [swg]  File not found
O4 - HKU\S_ON_C..\Run: [ZoneTick] C:\Program Files\ZoneTick\zonetick.exe (WR Consulting)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\Administrator.D136XM11_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O7 - HKU\Administrator.D136XM11_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:  =
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\M_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\M_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:  =
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O7 - HKU\S_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer:  =
O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL (ATI Technologies Inc.)
O16 - DPF: {00000075-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB (Reg Error: Key error.)
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} http://help.rr.com/Foundrysdccommon/download/tgctlar.cab (Support.com ActionRunner Class)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1083647788715 (MSSecurityAdvisor Class)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe (Reg Error: Key error.)
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} http://www.hpphoto.com/downloads/DownloadPhotos.cab (DownLoadStub Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37633.8680092593 (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab (YAddBook Class)
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB (CBrowser Class)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
O16 - DPF: {CECFDB95-B6F6-4A7F-A5AA-E3AD8C95BC75} http://www.topmoxie.com/external/builds/igive/igiv600.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_0.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O16 - DPF: Yahoo! MahJong Solitaire http://download.games.yahoo.com/games/clients/y/mjst3_x.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\msldr32: DllName - msldr32.dll -  File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/11/15 08:31:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2100/02/08 17:03:54 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[2013/04/29 13:38:25 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2013/04/28 22:47:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\S\Application Data\ESET
[2013/04/28 10:19:54 | 000,116,224 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2010/02/06 15:53:16 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\M\Application Data\pcouffin.sys
[2002/07/20 17:32:20 | 000,018,024 | R--- | C] (   ) -- C:\WINDOWS\System32\drivers\LXARScan.sys
[2002/07/10 20:00:48 | 000,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[1996/11/18 23:15:46 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\implode.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\S\My Documents\*.tmp files -> C:\Documents and Settings\S\My Documents\*.tmp -> ]
[2 C:\Documents and Settings\M\My Documents\*.tmp files -> C:\Documents and Settings\M\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\M\*.tmp files -> C:\Documents and Settings\M\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/04/30 11:49:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2013/04/30 11:49:24 | 535,904,256 | -HS- | M] () -- C:\hiberfil.sys
[2013/04/29 22:39:15 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/04/29 22:38:57 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/04/29 18:22:04 | 000,000,049 | ---- | M] () -- C:\WINDOWS\.directory
[2013/04/29 18:18:27 | 000,000,080 | ---- | M] () -- C:\.directory
[2013/04/29 17:19:48 | 000,000,050 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\.directory
[2013/04/29 13:49:19 | 000,004,224 | ---- | M] () -- C:\WINDOWS\System32\drivers\RDPCDD.SYS
[2013/04/29 00:26:25 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2013/04/28 22:47:15 | 000,384,596 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2013/04/28 22:47:15 | 000,054,280 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2013/04/28 10:19:49 | 000,116,224 | ---- | M] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2013/04/27 08:41:12 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\Documents and Settings\S\My Documents\*.tmp files -> C:\Documents and Settings\S\My Documents\*.tmp -> ]
[2 C:\Documents and Settings\M\My Documents\*.tmp files -> C:\Documents and Settings\M\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\M\*.tmp files -> C:\Documents and Settings\M\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2100/02/23 15:35:34 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat
[2100/02/08 16:53:34 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini
[2013/04/29 22:39:12 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/04/29 22:38:47 | 000,350,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/04/29 18:22:04 | 000,000,049 | ---- | C] () -- C:\WINDOWS\.directory
[2013/04/29 18:19:55 | 000,303,565 | ---- | C] () -- C:\AMCC 037A.JPG
[2013/04/29 18:18:27 | 000,000,080 | ---- | C] () -- C:\.directory
[2013/04/29 17:19:48 | 000,000,050 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\.directory
[2010/08/03 01:10:21 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/06 15:53:16 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\M\Application Data\inst.exe
[2010/02/06 15:53:16 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\M\Application Data\pcouffin.cat
[2010/02/06 15:53:16 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\M\Application Data\pcouffin.inf
[2010/01/20 17:41:23 | 000,001,572 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/01/20 17:41:22 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/02/12 06:13:30 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\default_user_class.dat
[2008/12/27 21:41:29 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ZipDll.dll
[2008/12/27 21:41:29 | 000,115,712 | ---- | C] () -- C:\WINDOWS\System32\UnzDll.dll
[2008/12/27 21:41:29 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\UNRAR.DLL
[2008/08/27 21:04:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/03/18 22:17:53 | 000,029,696 | ---- | C] () -- C:\WINDOWS\System32\asutl8.dll
[2007/08/31 00:41:39 | 000,000,230 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2007/07/29 23:23:06 | 000,000,010 | ---- | C] () -- C:\WINDOWS\PureEdgeAPI.ini
[2007/01/15 22:27:56 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2006/07/09 15:45:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\M\Application Data\dm.ini
[2005/11/25 19:39:27 | 000,000,045 | ---- | C] () -- C:\WINDOWS\GCGGHFLI.ini
[2005/04/11 10:52:49 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\S\Local Settings\Application Data\fusioncache.dat
[2005/04/09 13:57:00 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\M\Local Settings\Application Data\fusioncache.dat
[2005/02/08 16:34:22 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/01/18 15:05:36 | 000,081,342 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/01/12 19:49:55 | 000,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2005/01/12 19:49:55 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2004/11/30 21:21:14 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2004/11/23 18:27:19 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/11/22 13:27:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/07/05 17:19:42 | 000,000,055 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/07/05 16:08:25 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pxhpinst.exe
[2004/07/05 02:17:00 | 000,000,107 | ---- | C] () -- C:\WINDOWS\VobEdit.INI
[2004/06/22 01:26:19 | 000,406,016 | ---- | C] () -- C:\WINDOWS\System32\PSDrvCheck.exe
[2004/05/16 15:12:18 | 000,081,920 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
[2004/05/16 14:46:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2004/05/16 14:31:12 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/05/16 14:15:24 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2004/04/20 15:10:33 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/01/28 12:42:06 | 000,066,560 | ---- | C] () -- C:\WINDOWS\System32\atiyuv12.dll
[2004/01/28 12:42:06 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2004/01/28 12:42:06 | 000,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini
[2003/12/26 15:23:36 | 000,000,137 | ---- | C] () -- C:\WINDOWS\ngmap.ini
[2003/11/11 20:14:55 | 000,180,484 | ---- | C] () -- C:\Documents and Settings\M\~
[2003/10/14 14:54:14 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\ASFV2.DLL
[2003/10/14 14:51:33 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2003/10/02 10:43:51 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2003/05/08 11:06:23 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\S\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/03/12 21:08:48 | 000,000,143 | ---- | C] () -- C:\WINDOWS\MSMAIL.INI
[2003/03/05 00:23:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mixer.INI
[2003/01/13 00:59:53 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/09/28 19:47:09 | 000,030,464 | ---- | C] () -- C:\WINDOWS\macromix.dll
[2002/09/25 17:54:51 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2002/09/25 17:19:43 | 000,000,532 | ---- | C] () -- C:\WINDOWS\VTruck3.ini
[2002/08/25 13:16:01 | 000,001,035 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2002/08/18 20:27:03 | 000,001,342 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2002/08/18 17:47:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2002/08/18 00:19:55 | 000,000,426 | ---- | C] () -- C:\WINDOWS\IfoEdit.INI
[2002/08/10 21:41:40 | 000,000,724 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2002/07/27 11:31:46 | 000,028,160 | ---- | C] () -- C:\WINDOWS\UnSetup.exe
[2002/07/24 01:04:22 | 000,000,166 | ---- | C] () -- C:\WINDOWS\INTUIT.INI
[2002/07/24 01:01:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
[2002/07/24 01:00:00 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ICOA.INI
[2002/07/24 00:58:28 | 000,000,252 | ---- | C] () -- C:\WINDOWS\addrbook.ini
[2002/07/24 00:58:27 | 000,207,872 | ---- | C] () -- C:\WINDOWS\System32\RDMWIN32.DLL
[2002/07/24 00:58:26 | 000,005,776 | ---- | C] () -- C:\WINDOWS\icoadb32.dat
[2002/07/24 00:58:19 | 000,000,054 | ---- | C] () -- C:\WINDOWS\QFP.INI
[2002/07/24 00:58:19 | 000,000,054 | ---- | C] () -- C:\WINDOWS\MFF.INI
[2002/07/23 23:24:34 | 000,000,626 | ---- | C] () -- C:\WINDOWS\INTU_ONL.INI
[2002/07/23 22:47:43 | 000,000,030 | ---- | C] () -- C:\WINDOWS\INTURS.DAT
[2002/07/23 22:46:26 | 000,001,416 | ---- | C] () -- C:\WINDOWS\QfnOnl.ini
[2002/07/23 22:46:26 | 000,000,609 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2002/07/23 22:46:25 | 000,000,038 | ---- | C] () -- C:\WINDOWS\ACCWIZ.INI
[2002/07/23 22:46:24 | 000,008,256 | ---- | C] () -- C:\WINDOWS\QFNOADB.DAT
[2002/07/23 22:46:24 | 000,000,362 | ---- | C] () -- C:\WINDOWS\QDQICK.INI
[2002/07/23 22:45:40 | 000,002,122 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2002/07/23 18:37:37 | 000,003,071 | ---- | C] () -- C:\WINDOWS\VTruck2.ini
[2002/07/23 18:33:49 | 000,000,333 | ---- | C] () -- C:\WINDOWS\VTruck1.ini
[2002/07/23 16:06:53 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\M\Local Settings\Application Data\FASTWiz.html
[2002/07/20 17:39:47 | 000,000,020 | ---- | C] () -- C:\WINDOWS\InfModM.ini
[2002/07/20 17:36:26 | 000,000,078 | ---- | C] () -- C:\WINDOWS\psuite.ini
[2002/07/19 21:10:21 | 000,000,103 | ---- | C] () -- C:\WINDOWS\CTRec.INI
[2002/07/16 23:03:06 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\M\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2002/07/10 20:08:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/07/10 20:01:42 | 001,576,960 | ---- | C] () -- C:\WINDOWS\System32\mplvw7.dll
[2002/07/10 20:01:42 | 001,118,208 | ---- | C] () -- C:\WINDOWS\System32\mplvpx.dll
[2002/07/10 20:01:41 | 001,642,496 | ---- | C] () -- C:\WINDOWS\System32\mplva6.dll
[2002/07/10 20:01:41 | 001,548,288 | ---- | C] () -- C:\WINDOWS\System32\mplvm6.dll
[2002/07/10 20:01:41 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\mplaw7.dll
[2002/07/10 20:01:41 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\mplaa6.dll
[2002/07/10 20:01:41 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\mplapx.dll
[2002/07/10 20:01:41 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\mplam6.dll
[2002/07/10 20:01:41 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2002/07/10 20:00:25 | 001,048,576 | ---- | C] () -- C:\WINDOWS\System32\sfman.dat
[2002/07/10 20:00:25 | 000,000,231 | ---- | C] () -- C:\WINDOWS\ac3api.ini
[2002/07/10 20:00:11 | 000,000,184 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2002/07/10 19:59:07 | 000,000,029 | ---- | C] () -- C:\WINDOWS\wgedit.ini
[2002/07/10 19:59:05 | 000,057,344 | ---- | C] () -- C:\WINDOWS\uninstBVRP.dll
[2002/07/10 19:58:58 | 000,004,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\bvrp_pci.sys
[2002/07/10 19:56:46 | 000,000,917 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/07/10 19:50:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2002/07/10 19:48:00 | 000,339,440 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/07/10 18:37:46 | 000,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/01/08 20:03:10 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\MiniBrowser.dll
[2001/11/15 09:19:38 | 000,000,472 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2001/11/15 08:39:06 | 000,384,596 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2001/11/15 08:39:06 | 000,054,280 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2001/11/15 08:31:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/11/15 08:28:28 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2001/10/12 03:42:49 | 000,000,643 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2001/08/23 16:07:14 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2001/08/23 16:07:02 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2001/08/18 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2001/08/18 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2001/08/18 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2001/08/18 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2001/08/18 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2001/08/18 07:00:00 | 000,004,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\RDPCDD.SYS
[2001/08/18 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2001/07/20 11:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2001/01/18 16:55:22 | 000,131,584 | ---- | C] () -- C:\WINDOWS\System32\Ptlic32.exe
[2000/12/05 16:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/04/25 14:58:08 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\Wrkgadm.exe
[2000/01/11 13:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini
[1999/04/20 04:15:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\unvise32.dll
[1996/12/04 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/12/04 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1996/11/18 23:15:56 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\u2ddisk.dll
[1996/11/18 23:15:52 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\p2sodbc.dll
[1996/11/18 23:15:50 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\p2irdao.dll
[1996/11/18 23:15:50 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\p2ctdao.dll
[1996/11/18 23:15:50 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\p2bbnd.dll
[1996/11/18 23:15:28 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\Co2c40en.dll
 
========== LOP Check ==========
 
[2008/03/18 22:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Anvil Studio
[2010/02/24 23:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\ESET
[2008/11/18 10:07:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
[2006/08/15 20:36:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Leadertech
[2004/07/11 03:43:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Lycos
[2006/07/09 09:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Netscape
[2007/07/06 10:41:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Photodex
[2008/12/10 15:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\PureEdge
[2010/02/06 17:27:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Vso
[2007/07/22 23:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\Wal-Mart Digital Photo Viewer
[2005/04/12 11:14:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\M\Application Data\X10 Commander
[2013/04/28 22:47:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\S\Application Data\ESET
[2008/12/12 14:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\S\Application Data\PureEdge
[2007/01/22 22:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\S\Application Data\Viewpoint
[2008/01/07 00:41:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/02/24 23:33:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2008/08/23 13:43:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2007/10/20 17:21:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Philips Intelligent Agent
[2008/12/10 15:04:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PureEdge
[2007/01/22 22:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/25 12:59:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2008/12/28 00:34:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
 
========== Purity Check ==========
 
 
< End of report >
 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 30 April 2013 - 05:18 PM


Hello Marcel85

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    O4 - HKLM..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Hilgraeve, Inc.)
    [2013/04/28 10:19:54 | 000,116,224 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
    [2013/04/29 22:39:15 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
    [2013/04/29 22:38:57 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 April 2013 - 06:48 PM

Everything appeared to go as you said.  Here is report.

 

 

 

 

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DisplaySwitch deleted successfully.
C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe moved successfully.
File C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe not found.
C:\Documents and Settings\All Users\Application Data\1.bmp moved successfully.
C:\Documents and Settings\All Users\Application Data\1.jpg moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The system cannot find the file specified.
 
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to open registry key for tcpip.
C:\cmd.bat deleted successfully.
C:\cmd.txt deleted successfully.
========== COMMANDS ==========
Error: Unable to interpret <[emptyjava]> in the current context!
 
[EMPTYFLASH]
 
User: Administrator
 
User: Administrator.D136XM11
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 215527 bytes
->Flash cache emptied: 750 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 6291073 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 54436741 bytes
->Flash cache emptied: 83839 bytes
 
User: M
->Temp folder emptied: 1397131880 bytes
->Temporary Internet Files folder emptied: 28332279 bytes
->Java cache emptied: 11660467 bytes
->FireFox cache emptied: 2485504 bytes
->Flash cache emptied: 122381 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 135512558 bytes
->Flash cache emptied: 70010 bytes
 
User: S
->Temp folder emptied: 30195836 bytes
->Temporary Internet Files folder emptied: 131156137 bytes
->Java cache emptied: 14594498 bytes
->FireFox cache emptied: 3839795 bytes
->Flash cache emptied: 18731 bytes
 
Total Flash Files Cleaned = 1,732.00 mb
 
 
OTLPE by OldTimer - Version 3.1.48.0 log created on 04302013_212846
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 30 April 2013 - 08:17 PM

are you able to log into windows now?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 April 2013 - 08:55 PM

I am in.  No more Ransom screen. The same report that I posted for you was up when it opened.



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 30 April 2013 - 09:05 PM


Hello Marcel85


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 30 April 2013 - 09:07 PM

Probably a silly question, but I am still not hooked up to the internet on the sick computer.  Is it ok to hook back up.  Alot easier than downloading on other computer and transfering files.  I assume it is but thought I better ask.



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 30 April 2013 - 09:20 PM

Yes you can


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 May 2013 - 06:22 AM

Here you go, both reports.    -M

 

 

 

# AdwCleaner v2.300 - Logfile created 05/01/2013 at 09:22:09
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : M - D136XM11
# Boot Mode : Normal
# Running from : C:\Documents and Settings\M\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Trymedia
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\FunWebProducts
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.17023

[OK] Registry is clean.

-\\ Mozilla Firefox v2.0.0.11 (en-US)

*************************

AdwCleaner[S1].txt - [2387 octets] - [01/05/2013 09:22:09]

########## EOF - C:\AdwCleaner[S1].txt - [2447 octets] ##########

 

 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : M [Admin rights]
Mode : Remove -- Date : 05/01/2013 07:16:36
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : UpdReg (C:\WINDOWS\Updreg.exe) [-] -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[19] : NtAssignProcessToJobObject @ 0x805A253D -> HOOKED (Unknown @ 0x82DFEC90)
SSDT[57] : NtDebugActiveProcess @ 0x8065B541 -> HOOKED (Unknown @ 0x82DFF200)
SSDT[68] : NtDuplicateObject @ 0x805717C5 -> HOOKED (Unknown @ 0x82DFF2F0)
SSDT[122] : NtOpenProcess @ 0x805719AC -> HOOKED (Unknown @ 0x82DFE590)
SSDT[128] : NtOpenThread @ 0x8058E5C4 -> HOOKED (Unknown @ 0x82DFE800)
SSDT[137] : NtProtectVirtualMemory @ 0x80571E96 -> HOOKED (Unknown @ 0x82DFEFD0)
SSDT[180] : NtQueueApcThread @ 0x8058A487 -> HOOKED (Unknown @ 0x82DFF0E0)
SSDT[213] : NtSetContextThread @ 0x8062E057 -> HOOKED (Unknown @ 0x82DFEEC0)
SSDT[229] : NtSetInformationThread @ 0x80575756 -> HOOKED (Unknown @ 0x82DFED90)
SSDT[237] : NtSetSecurityObject @ 0x8059B1F3 -> HOOKED (Unknown @ 0x82DFBDA0)
SSDT[253] : NtSuspendProcess @ 0x8062FC39 -> HOOKED (Unknown @ 0x82DFEB90)
SSDT[254] : NtSuspendThread @ 0x805E053E -> HOOKED (Unknown @ 0x82DFEA80)
SSDT[257] : NtTerminateProcess @ 0x805824CC -> HOOKED (Unknown @ 0x82DFE6E0)
SSDT[258] : NtTerminateThread @ 0x8057BA6F -> HOOKED (Unknown @ 0x82DFEA50)
SSDT[277] : NtWriteVirtualMemory @ 0x8057E60A -> HOOKED (Unknown @ 0x82DFF6D0)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x836E2358)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-75CAA0 +++++
--- User ---
[MBR] 927e178c5999ece1f554075f11d10f6b
[BSP] f49cae14d8b91b005dff84b1f6d8852f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 76253 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05012013_02d0716.txt >>
RKreport[1]_S_05012013_02d0712.txt ; RKreport[2]_D_05012013_02d0716.txt



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 01 May 2013 - 07:06 AM


Hello Marcel85

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 May 2013 - 04:20 PM

Log is below.  Had trouble downloading from links on the bad computer.  Might be just be slow.  Seemed like a browser problem more than anything.  Downloaded it on win7 computer fine and transfered it.  I began to run it at lunch but had to leave to go back to work.  It did need to download Recovery Console.  When I got back to it, the computer had apparently rebooted.  It was on the windows log in screen.  I logged back in and the combofix window said it was "preparing the report."  Report popped up a few minutes later.   I also restarted my virus program.  Opened a few programs and they appeared fine.  Old computer is a bit slow and the only reason I keep it is so I can use many programs that are not supproted on WIN7    -M

 

 

 

ComboFix 13-05-01.03 - M 05/01/2013  12:39:26.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.511.249 [GMT -4:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserNameE.txt
c:\documents and settings\M\Application Data\AdobeDLM.log
c:\documents and settings\M\Application Data\inst.exe
c:\documents and settings\M\My Documents\~WRL2287.tmp
c:\documents and settings\M\My Documents\~WRL2783.tmp
c:\documents and settings\M\proshow-burn.tmp
c:\documents and settings\M\WINDOWS
c:\documents and settings\S\Desktop\Setup.exe
c:\documents and settings\S\My Documents\~WRL0181.tmp
c:\documents and settings\S\My Documents\~WRL0979.tmp
c:\documents and settings\S\My Documents\~WRL1730.tmp
c:\documents and settings\S\My Documents\~WRL2680.tmp
c:\program files\TBONAS
C:\Thumbs.db
c:\windows\daemon.dll
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.5.inf
c:\windows\EventSystem.log
c:\windows\help\wmplayer.bak
c:\windows\msvcr71.dll
c:\windows\System32\msMAsk32.ocx
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\rnaph.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\Temp\_ex-08.exe
c:\windows\Temp\_ex-68.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-01 to 2013-05-01  )))))))))))))))))))))))))))))))
.
.
2100-02-08 21:03 . 2001-05-11 16:39 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2013-05-01 01:29 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2013-05-01 01:28 . 2013-05-01 01:28 -------- d-----w- C:\_OTL
2013-04-29 17:38 . 2013-04-29 23:16 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-04-29 02:47 . 2013-04-29 02:47 -------- d-----w- c:\documents and settings\S\Application Data\ESET
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-29 17:49 . 2001-08-18 11:00 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2001-05-08 21:36 . 2000-12-05 20:56 114688 ----a-w- c:\program files\lxarscan.dll
2007-11-28 19:12 . 2008-01-07 04:46 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 . 2008-01-07 04:46 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 . 2008-01-07 04:46 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 . 2008-01-07 04:46 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 . 2008-01-07 04:46 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\LaunchPd.exe" [2005-03-19 102400]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-04-03 282624]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-12-04 406016]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-03-23 32768]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-03-19 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-03-28 102400]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-01-20 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
.
c:\documents and settings\M\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-07 04:40 10792 ----a-w- c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\mmc.exe"=
"c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)
.
R0 Stlth317;Stlth317;c:\windows\SYSTEM32\DRIVERS\stlth317.sys [8/7/2002 4:00 PM 83360]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 10:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
R3 pcouffin;VSO Software pcouffin;c:\windows\SYSTEM32\DRIVERS\pcouffin.sys [2/6/2010 3:53 PM 47360]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://www.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {CECFDB95-B6F6-4A7F-A5AA-E3AD8C95BC75} - hxxp://www.topmoxie.com/external/builds/igive/igiv600.cab
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\5xwa0t3z.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-WorkFlow - d:\install\WorkFlow.exe
HKLM-Run-QuickenSEMessage - c:\qwse\QSEMSG.EXE
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-iGiveShoppingWindow0 - c:\program files\iGive_ShoppingWindow\iGiveShoppingWindow0.exe
HKLM-Run-CSV7P91 - c:\program files\CSBB\CSV7P91.exe
HKLM-Run-BillMinder - c:\qwse\BILLMIND.EXE
Notify-msldr32 - msldr32.dll
AddRemove-Excel - c:\program files\Microsoft Office\Office\Setup\AcmeXl.exe
AddRemove-Quicken SE 6 - c:\qwse\DeIsL1.isu
AddRemove-Windows SR 2.0 - c:\windows\UnstSA2.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-01 16:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Dell|Alert = c:\program files\Dell\Support\Alert\bin\DAMon.exe?p?o?r?t?\?A?l?e?r?t?\?b?i?n?\?D?A?M?o?n?.?e?x?e???????????x:??????x???????X???????????????P????(?w'(?w????????????(???s??????w????????????0????$?w7(?w?o?wS??w???w????????????X*@?????????X????????%@?e?????
  Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???????????????? C?????Disc Detector?B???A???????A?? ????B???@?$?@?? C?????U?@?????????@?B???A???????A?0?????B???@?????P???$?@?? UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - FDDA79499C8CD582D4352BB13D8F6971

 



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:13 AM

Posted 01 May 2013 - 04:47 PM


Hello Marcel85


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Marcel85

Marcel85
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 01 May 2013 - 07:01 PM

Here are the reports.  -M

 

 

 

 

# AdwCleaner v2.300 - Logfile created 05/01/2013 at 19:40:34
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : M - D136XM11
# Boot Mode : Normal
# Running from : C:\Documents and Settings\M\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.17023

[OK] Registry is clean.

-\\ Mozilla Firefox v2.0.0.11 (en-US)

*************************

AdwCleaner[S1].txt - [2516 octets] - [01/05/2013 09:22:09]
AdwCleaner[S2].txt - [623 octets] - [01/05/2013 19:40:34]

########## EOF - C:\AdwCleaner[S2].txt - [682 octets] ##########

 

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : M [Admin rights]
Mode : Remove -- Date : 05/01/2013 19:54:26
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[19] : NtAssignProcessToJobObject @ 0x805A253D -> HOOKED (Unknown @ 0x82E05C90)
SSDT[57] : NtDebugActiveProcess @ 0x8065B541 -> HOOKED (Unknown @ 0x82E06200)
SSDT[68] : NtDuplicateObject @ 0x805717C5 -> HOOKED (Unknown @ 0x82E062F0)
SSDT[122] : NtOpenProcess @ 0x805719AC -> HOOKED (Unknown @ 0x82E05590)
SSDT[128] : NtOpenThread @ 0x8058E5C4 -> HOOKED (Unknown @ 0x82E05800)
SSDT[137] : NtProtectVirtualMemory @ 0x80571E96 -> HOOKED (Unknown @ 0x82E05FD0)
SSDT[180] : NtQueueApcThread @ 0x8058A487 -> HOOKED (Unknown @ 0x82E060E0)
SSDT[213] : NtSetContextThread @ 0x8062E057 -> HOOKED (Unknown @ 0x82E05EC0)
SSDT[229] : NtSetInformationThread @ 0x80575756 -> HOOKED (Unknown @ 0x82E05D90)
SSDT[237] : NtSetSecurityObject @ 0x8059B1F3 -> HOOKED (Unknown @ 0x82E02DA0)
SSDT[253] : NtSuspendProcess @ 0x8062FC39 -> HOOKED (Unknown @ 0x82E05B90)
SSDT[254] : NtSuspendThread @ 0x805E053E -> HOOKED (Unknown @ 0x82E05A80)
SSDT[257] : NtTerminateProcess @ 0x805824CC -> HOOKED (Unknown @ 0x82E056E0)
SSDT[258] : NtTerminateThread @ 0x8057BA6F -> HOOKED (Unknown @ 0x82E05A50)
SSDT[277] : NtWriteVirtualMemory @ 0x8057E60A -> HOOKED (Unknown @ 0x82E066D0)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x8342D290)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800BB-75CAA0 +++++
--- User ---
[MBR] 927e178c5999ece1f554075f11d10f6b
[BSP] f49cae14d8b91b005dff84b1f6d8852f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 76253 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_D_05012013_02d1954.txt >>
RKreport[1]_S_05012013_02d0712.txt ; RKreport[2]_D_05012013_02d0716.txt ; RKreport[3]_S_05012013_02d1953.txt ; RKreport[4]_D_05012013_02d1954.txt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users