Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with The United States Department of Justice virus


  • This topic is locked This topic is locked
48 replies to this topic

#1 WILD RACING

WILD RACING

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 01:19 PM

My desktop, A compaq presario running XP W/ SP3 recently became infected with this virus

 

 

 

department-of-justice-virus.jpg

 

 

I googled it to see if I could take care of it my self but all the info I got said to boot in safe mode with command prompt or boot in safe mode with networking.

 

I can not boot into any safe mode whatsoever.  It either go into a repeating endless boot cycle or starts to boot and then locks on the screen above. 

 

I am able to press the F8 key, select the last "know settings everything worked"  and have about a minute of work time before the virus locks me up again.

 

During one of those attempts, I tried running RKill to stop the virus so that I could get to  a point where I could try to get rid of it but it still locked up on me.



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 01:27 PM


Hello

Lets see if we can get this to run
  • Download OTLPE from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPEStd.exe
    http://ottools.noahdfear.net/OTLPEStd.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click imgbrn.png to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  • OTL should now start.
  • Push runscanbutton.png
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your next reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 02:01 PM

The instructions in your link do not match what I am seeing or I'm doing something wrong.

 

I pressed the Delete key and nothing happened.  Retried using F8 and did not see anything that said enter BIOS.

 

Should I have hot the F1 key to enter set up?



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 05:04 PM

there are more than one ways to enter the boot menu on that page - you need to see which one will work for you




gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 05:56 PM

Got it.

 

Here's the report

 

 

OTL logfile created on: 5/12/2013 7:45:18 PM - Run
OTLPE by OldTimer - Version 3.1.48.0     Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 107.72 Gb Total Space | 11.66 Gb Free Space | 10.83% Space Free | Partition Type: NTFS
Drive I: | 4.07 Gb Total Space | 0.66 Gb Free Space | 16.30% Space Free | Partition Type: FAT32
Drive X: | 284.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet004
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [Disabled] --  -- (HidServ)
SRV - File not found [On_Demand] --  -- (AppMgmt)
SRV - [2013/05/02 12:46:28 | 000,990,896 | ---- | M] () [Auto] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.0.1\ToolbarUpdater.exe -- (vToolbarUpdater15.0.1)
SRV - [2013/03/13 06:20:44 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/03/10 08:27:56 | 000,170,912 | ---- | M] (Oracle Corporation) [Auto] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/11/16 00:34:30 | 005,814,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/10/22 14:05:08 | 000,196,664 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto] -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
SRV - [2010/07/13 17:34:23 | 000,042,312 | R--- | M] (AOL Inc.) [Auto] -- C:\Program Files\Common Files\AOL\ACS\acsd.exe -- (AOL ACS)
SRV - [2003/11/03 23:47:08 | 000,053,248 | ---- | M] (GEAR Software) [Auto] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] --  -- (PDCOMP)
DRV - File not found [Kernel | System] --  -- (PCIDump)
DRV - File not found [Kernel | Auto] --  -- (mrtRate)
DRV - File not found [Kernel | Auto] --  -- (MCSTRM)
DRV - File not found [Kernel | System] --  -- (lbrtfdc)
DRV - File not found [Kernel | System] --  -- (i2omgmt)
DRV - File not found [Kernel | System] --  -- (Changer)
DRV - File not found [Kernel | Auto] --  -- (5613)
DRV - [2013/05/02 12:46:29 | 000,033,624 | ---- | M] (AVG Technologies) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2012/11/16 00:33:26 | 000,094,048 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2012/10/22 14:02:46 | 000,179,936 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2012/10/15 04:48:52 | 000,055,776 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/10/02 04:30:38 | 000,159,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/09/21 04:46:06 | 000,164,832 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/09/21 04:46:00 | 000,177,376 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\avglogx.sys -- (Avglogx)
DRV - [2012/09/21 04:45:54 | 000,019,936 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | System] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2012/09/14 04:05:20 | 000,035,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/14 10:44:00 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 11:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/06/29 10:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/01/03 00:05:48 | 000,011,520 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2004/01/02 23:20:40 | 000,432,000 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/12/12 10:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/02 22:23:20 | 000,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k)
DRV - [2003/07/18 20:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2003/07/02 15:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/10/04 21:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation       ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2002/07/30 01:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Administrator.YOUR-2S4KN5K0H3_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Administrator.YOUR-2S4KN5K0H3_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
 
IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/webhp?sourceid=navclient&ie=UTF-8
IE - HKU\Owner_ON_C\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
 
 
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.0.1\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\WINDOWS\system32\npdeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.10.835: C:\Program Files\real\realone player\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.1136: C:\Program Files\real\realone player\Netscape6\nprjplug.dll (RealNetworks)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.11.847: C:\Program Files\real\realone player\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@toolbar: C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar\FireFoxExt\15.0.1.2 [2013/05/02 12:46:59 | 000,000,000 | ---D | M]
 
[2010/02/05 20:04:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
 
O1 HOSTS File: ([2013/03/27 07:59:44 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  File not found
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\15.0.1.2\AVG SafeGuard toolbar_toolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\15.0.1.2\AVG SafeGuard toolbar_toolbar.dll ()
O3 - HKU\Owner_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Hilgraeve, Inc.)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1323826574\ee\aolsoftware.exe (AOL Inc.)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [KernelFaultCheck]  File not found
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG SafeGuard toolbar\vprot.exe ()
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKU\Owner_ON_C..\Run: [AOL Fast Start] C:\Program Files\AOL Desktop 9.6\AOL.EXE (AOL Inc.)
O4 - HKU\Owner_ON_C..\Run: [jI28300PlGaG28300]  File not found
O4 - HKU\Owner_ON_C..\Run: [ROC_ROC_APR2013_AV]  File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk =  File not found
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe (Sierra Imaging)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Administrator.YOUR-2S4KN5K0H3_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 -  File not found
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1308666897682 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab (Java Plug-in 1.4.2_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.214.34 64.233.214.41 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  File not found
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.0.1\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll -  File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 15:55:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - I:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/10 11:02:32 | 000,000,045 | -HS- | M] () - I:\Autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Info.exe folder.htt 480 480
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG2013\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/05/10 09:30:20 | 000,126,464 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2013/05/02 12:47:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2013/05/02 12:46:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:46:50 | 000,033,624 | ---- | C] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/05/02 12:46:46 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVG Secure Search
[2013/05/02 12:46:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/05/12 18:35:23 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/05/12 18:35:20 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3473630101-1423858036-2459947828-1003.job
[2013/05/12 18:35:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/05/12 18:35:04 | 2079,903,744 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/12 15:00:37 | 000,000,249 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2013/05/12 14:59:59 | 000,068,697 | ---- | M] () -- C:\VETlog.dmp
[2013/05/12 14:54:26 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/05/10 10:34:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/05/10 09:40:46 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/05/10 09:40:31 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/05/10 09:30:14 | 000,126,464 | ---- | M] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
[2013/05/10 09:20:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/05/08 17:56:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/05/05 00:44:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3473630101-1423858036-2459947828-1003.job
[2013/05/02 12:46:29 | 000,033,624 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/04/16 10:15:56 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/05/10 09:40:46 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/05/10 09:40:26 | 000,350,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2012/06/24 07:09:20 | 000,033,758 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\dt.dat
[2012/02/27 18:05:27 | 000,006,371 | R--- | C] () -- C:\WINDOWS\System32\hphmon05.dat
[2012/02/27 18:04:28 | 000,018,283 | ---- | C] () -- C:\WINDOWS\HPHins01.dat
[2012/02/27 18:04:28 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl01.dat
[2012/02/27 17:42:02 | 000,018,283 | ---- | C] () -- C:\WINDOWS\HPHins01.dat.temp
[2012/02/27 17:42:02 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl01.dat.temp
[2012/02/15 09:16:30 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/14 17:46:17 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2011/12/14 17:46:16 | 000,002,154 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2011/12/14 17:45:12 | 000,001,177 | ---- | C] () -- C:\WINDOWS\System32\imbrmute.ini
[2011/12/14 13:10:20 | 000,014,782 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3\ml2.srt
[2011/12/14 13:10:20 | 000,014,724 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3\ml1.srt
[2011/12/14 13:10:20 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Administrator.YOUR-2S4KN5K0H3\Local Settings\Application Data\fusioncache.dat
[2011/12/13 19:49:35 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/06/15 13:51:37 | 000,014,782 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ml2.srt
[2011/06/15 13:51:37 | 000,014,724 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ml1.srt
[2011/06/15 07:53:28 | 000,008,640 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
[2011/06/13 08:06:55 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
[2011/06/13 07:54:42 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
[2011/06/13 07:54:42 | 000,001,510 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
[2010/10/30 10:55:00 | 000,000,035 | ---- | C] () -- C:\WINDOWS\Ulead32.INI
[2010/09/24 17:28:55 | 000,019,791 | ---- | C] () -- C:\WINDOWS\HPHins02.dat
[2010/09/24 17:28:55 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat
[2010/08/31 19:23:52 | 000,000,235 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\devices.xml
[2010/08/31 19:23:52 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\settings.xml
[2010/08/31 14:49:34 | 000,000,008 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2010/08/08 11:37:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Exocexiv.bin
[2010/08/08 11:37:27 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Yqexiger.dat
[2009/01/15 09:58:12 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\54DBA6
[2009/01/15 09:58:11 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\mcs.rma
[2008/04/24 17:28:56 | 000,002,187 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/04/16 18:18:50 | 000,000,035 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2008/04/16 18:07:34 | 000,015,164 | ---- | C] () -- C:\WINDOWS\mr310twc.ini
[2007/03/08 12:10:21 | 000,000,162 | ---- | C] () -- C:\WINDOWS\TTutor7.ini
[2006/04/23 09:55:46 | 000,000,302 | ---- | C] () -- C:\WINDOWS\EReg515.dat
[2006/04/23 09:54:58 | 000,001,176 | ---- | C] () -- C:\WINDOWS\disney.ini
[2005/02/24 02:00:53 | 000,000,841 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/01/13 15:04:35 | 000,000,523 | ---- | C] () -- C:\Documents and Settings\Owner\Q584361.exe
[2004/12/16 15:43:27 | 000,035,328 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/01 01:38:39 | 000,000,229 | ---- | C] () -- C:\WINDOWS\upst.ini
[2004/12/01 01:38:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/10/16 21:13:09 | 000,000,023 | ---- | C] () -- C:\WINDOWS\Kyor.ini
[2004/10/01 20:36:25 | 000,000,113 | ---- | C] () -- C:\WINDOWS\CRIBBAGE.INI
[2004/10/01 14:35:57 | 000,189,952 | ---- | C] () -- C:\WINDOWS\Qcard32.dll
[2004/09/30 22:37:11 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/09/17 18:37:42 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/04/13 12:50:22 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/04/13 12:50:21 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/04/13 12:49:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/04/13 12:48:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/04/13 12:19:52 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/04/13 12:19:52 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/04/13 12:19:49 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/04/13 12:19:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/04/13 12:19:38 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/04/03 02:35:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 02:35:48 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 22:57:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/02 19:06:34 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 19:03:06 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:51:16 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66L.exe
[2004/04/02 18:47:59 | 000,027,754 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 18:47:19 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/02 18:31:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 18:22:10 | 000,000,907 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 17:40:20 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 17:33:05 | 000,001,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2004/04/02 17:29:05 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis760.bin
[2004/04/02 17:29:05 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis741.bin
[2004/04/02 17:29:05 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis660.bin
[2004/04/02 17:04:42 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 16:54:44 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 16:54:44 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 16:54:16 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 16:51:49 | 000,014,782 | ---- | C] () -- C:\Documents and Settings\Owner\ml2.srt
[2004/04/02 16:51:49 | 000,014,724 | ---- | C] () -- C:\Documents and Settings\Owner\ml1.srt
[2004/04/02 15:59:40 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 15:57:46 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/04/02 15:52:13 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/04/02 14:42:06 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/02 14:41:32 | 000,381,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/04/02 14:41:32 | 000,053,436 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/04/02 07:46:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/04/02 07:45:51 | 000,146,808 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/08 02:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
========== LOP Check ==========
 
[2012/12/20 18:08:15 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\AVG2013
[2013/05/02 12:46:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:47:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG SafeGuard toolbar
[2010/11/30 08:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG10
[2012/12/20 18:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG2013
[2004/10/28 01:57:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterMute
[2005/03/24 10:39:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2008/09/05 20:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PhotoParade
[2012/01/24 14:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2007/03/28 16:59:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2012/12/20 18:07:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TuneUp Software
[2010/08/31 16:26:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2007/02/15 21:03:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2013/01/21 09:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG January 2013 Campaign
[2013/05/02 12:47:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2013/05/02 12:47:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/12/13 21:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2012/12/20 18:08:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2013
[2011/12/13 21:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/02/28 15:48:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems
[2010/11/30 08:50:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/03/15 00:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eEhAiCk06504
[2011/02/18 01:30:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\hNkMlLd06510
[2011/03/10 23:37:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iNmPaPg06504
[2011/12/14 17:23:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\jI28300PlGaG28300
[2013/05/10 08:31:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/05/18 23:55:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2011/12/18 07:38:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure
[2011/12/14 17:32:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/12/13 21:25:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2013/03/15 01:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2013/03/01 02:00:00 | 000,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner\My Documents\laser:SummaryInformation
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 06:02 PM


Hello WILD RACING

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    O4 - HKLM..\Run: [DisplaySwitch] C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe (Hilgraeve, Inc.)
    [2013/05/10 09:30:20 | 000,126,464 | ---- | C] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
    [2013/05/10 09:40:46 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
    [2013/05/10 09:40:31 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
    [2013/05/10 09:30:14 | 000,126,464 | ---- | M] (Hilgraeve, Inc.) -- C:\Documents and Settings\All Users\Application Data\DisplaySwitch.exe
    [2011/06/15 07:53:28 | 000,008,640 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
    [2011/06/13 08:06:55 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
    [2011/06/13 07:54:42 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
    [2011/06/13 07:54:42 | 000,001,510 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\wj73ryb4p5v0ai21vn5w8ao7it11a40u14
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 06:23 PM

should I take the disc out first or leave it in?



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 06:33 PM

after you run the fix take it out and see if it boots up



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 06:45 PM

Ran the fix. it asked if I wanted to reboot now.

 

I clicked yes.

 

opend the disc drive so it would reboot normally.

 

It did not reboot and now appears to be unresponsive



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 07:04 PM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive

Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 07:25 PM

Well,

 

I formatted and downloaded everything to my flash drive.

 

Used the power button to manually shutdown and restart the computer.

 

Pressing the F12 key did nothing and the computer booted up to the normal desktop.

 

So I waited a few minutes to see if the virus locked it up again and so far it has not reappeared and it seems to be functioning normally



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 07:42 PM



Hello WILD RACING

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 08:22 PM

So far it's working normally.

 

Here's those logs

 

# AdwCleaner v2.300 - Logfile created 05/12/2013 at 20:46:42
# Updated 28/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Owner - YOUR-2S4KN5K0H3
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Common Files\AVG Secure Search
File Deleted : C:\Documents and Settings\Owner\Desktop\Free Dolphin Screensaver.lnk
File Deleted : C:\Program Files\Mozilla Firefox\.autoreg
Folder Deleted : C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\Owner\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\Program Files\Free Offers from Freeze.com
Folder Deleted : C:\Program Files\Viewpoint

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\MetaStream
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e2y34lv5.default\prefs.js

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e2y34lv5.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.1] : icon_url ={"backup":{"homepage":true,"homepage_is_newtabpage":false,"session":{"restore_on_startup":4,"urls_to[...]

*************************

AdwCleaner[S1].txt - [6012 octets] - [12/05/2013 20:46:42]

########## EOF - C:\AdwCleaner[S1].txt - [6072 octets] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by Owner on Sun 05/12/2013 at 20:57:01.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\displayswitch
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\aol toolbar"
Successfully deleted: [Folder] "C:\Documents and Settings\Owner\Local Settings\Application Data\aol toolbar"
Successfully deleted: [Folder] "C:\Program Files\aol toolbar"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\hot deals"

 

~~~ FireFox

Successfully deleted the following from C:\Documents and Settings\Owner\Application Data\mozilla\firefox\profiles\e2y34lv5.default\prefs.js

user_pref("browser.startup.homepage", "hxxp://mysearch.avg.com/?cid={FC2A2DFD-AD52-4D2F-8E4B-80D766ACEFCA}&mid=abdd4e668d4647d1ae71d14acce4e9e6-56990ecbcec065159d509914296e88a

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 05/12/2013 at 21:03:34.32
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:46 AM

Posted 12 May 2013 - 08:45 PM


Hello WILD RACING

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 WILD RACING

WILD RACING
  • Topic Starter

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 AM

Posted 12 May 2013 - 10:14 PM

That took a while LOL

 

Here ya go..............

 

ComboFix 13-05-12.01 - Owner 05/12/2013  22:40:48.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1983.1549 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Application Data\54DBA6
c:\documents and settings\Owner\Local Settings\Application Data\{0D190FC4-B7B3-43BB-B716-4CB99EC4E842}
c:\documents and settings\Owner\Local Settings\Application Data\{0D190FC4-B7B3-43BB-B716-4CB99EC4E842}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{0D190FC4-B7B3-43BB-B716-4CB99EC4E842}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{0D190FC4-B7B3-43BB-B716-4CB99EC4E842}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{0D190FC4-B7B3-43BB-B716-4CB99EC4E842}\install.rdf
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\server.dat
c:\windows\$NtUninstallKB13342$
c:\windows\$NtUninstallKB13342$\1645172241\Desktop.ini
c:\windows\$NtUninstallKB13342$\1645172241\L\bmqngfbm
c:\windows\$NtUninstallKB13342$\4061293656
c:\windows\help\wmplayer.bak
c:\windows\system\olepro32.dll
c:\windows\system\Stdole2.tlb
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\ps2.bat
c:\windows\system32\SET618.tmp
c:\windows\system32\SET61C.tmp
c:\windows\system32\SET624.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\wpcap.dll
D:\Autorun.inf
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-13 to 2013-05-13  )))))))))))))))))))))))))))))))
.
.
2013-05-13 00:56 . 2013-05-13 00:56 -------- d-----w- c:\windows\ERUNT
2013-05-13 00:56 . 2013-05-13 00:56 -------- d-----w- C:\JRT
2013-05-13 00:35 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2013-05-13 00:33 . 2013-05-13 00:33 -------- d-----w- C:\_OTL
2013-05-02 16:47 . 2013-05-02 16:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AVG SafeGuard toolbar
2013-05-02 16:47 . 2013-05-02 16:47 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG SafeGuard toolbar
2013-05-02 16:46 . 2013-05-02 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-05-02 16:46 . 2013-05-02 16:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVG SafeGuard toolbar
2013-05-02 16:46 . 2013-05-02 16:46 33624 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-02 16:46 . 2013-05-02 16:46 -------- d-----w- c:\program files\AVG SafeGuard toolbar
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-20 12:56 . 2013-03-20 12:56 1409 ----a-w- c:\windows\QTFont.for
2013-03-13 10:20 . 2012-04-04 23:30 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-13 10:20 . 2011-12-14 02:51 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 10:20 . 2013-03-13 10:20 15859416 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-03-10 12:27 . 2013-03-10 12:28 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-10 12:27 . 2013-03-10 12:28 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-10 12:27 . 2012-12-07 20:44 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-10 12:27 . 2011-12-14 01:57 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2004-04-02 18:41 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2004-04-02 18:41 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2002-08-29 08:04 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 02:06 . 2011-06-20 14:10 916480 ----a-w- c:\windows\system32\wininet.dll
2013-03-02 02:06 . 2004-04-13 16:50 43520 ------w- c:\windows\system32\licmgr10.dll
2013-03-02 02:06 . 2004-04-13 16:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-03-02 01:25 . 2004-04-02 18:41 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-03-02 01:08 . 2011-12-13 22:52 385024 ------w- c:\windows\system32\html.iec
2013-02-27 07:56 . 2004-04-13 16:19 2067456 ----a-w- c:\windows\system32\mstscax.dll
2004-12-13 05:42 . 2004-11-16 12:50 4 ----a-w- c:\program files\index.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-11 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 151597]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-17 229376]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"VTTimer"="VTTimer.exe" [2004-01-16 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"HostManager"="c:\program files\Common Files\AOL\1323826574\ee\AOLSoftware.exe" [2010-03-08 41800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-02 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-08-20 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2012-12-11 3147384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
IMStart.lnk - c:\program files\InterMute\IMStart.exe [N/A]
QuickLink.lnk - c:\program files\PhotoWise\quicklnk.exe [2005-3-28 104960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-4-2 16384]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2010-9-24 344064]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1323826574\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 4:46 AM 177376]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 35552]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [5/2/2013 12:46 PM 33624]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [10/22/2012 2:05 PM 196664]
S2 5613;5613;\??\c:\docume~1\Owner\LOCALS~1\Temp\5613.sys --> c:\docume~1\Owner\LOCALS~1\Temp\5613.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [11/16/2012 12:34 AM 5814904]
S2 mrtRate;mrtRate; [x]
S2 vToolbarUpdater15.0.1;vToolbarUpdater15.0.1;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.0.1\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.0.1\ToolbarUpdater.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-10 18:29 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 10:20]
.
2013-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
2013-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:12]
.
2013-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:12]
.
2013-01-23 c:\windows\Tasks\HP DArC Task 2003-12-22 03:05ewlett-Packard-2002003-12-22 12:38N3CH3C1NDI5.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-12-22 12:38]
.
2013-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-14 16:22]
.
2013-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-14 16:22]
.
2013-05-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3473630101-1423858036-2459947828-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2013-05-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3473630101-1423858036-2459947828-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2004-04-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-04-03 08:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.233.214.34 64.233.214.41 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-jI28300PlGaG28300 - c:\documents and settings\All Users\Application Data\jI28300PlGaG28300\jI28300PlGaG28300.exe
HKCU-Run-ROC_ROC_APR2013_AV - c:\documents and settings\Owner\Application Data\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-12 22:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2013\avgrsx.exe
c:\program files\AVG\AVG2013\avgcsrvx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\System32\gearsec.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\VTTimer.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
c:\program files\AVG\AVG2013\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2013-05-12  23:01:05 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-13 03:01
ComboFix2.txt  2007-11-12 15:29
.
Pre-Run: 14,158,360,576 bytes free
Post-Run: 14,106,148,864 bytes free
.
- - End Of File - - 15C7F136A98885182F282285CC691109
 

 

 

So far everything is still OK






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users