Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus that changed many files to lnk and then moved and hid them


  • Please log in to reply
37 replies to this topic

#1 deloria

deloria

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 30 June 2013 - 07:18 PM

Hello out there,

 

Since I originally posted on June 25, 2013, and Aussie Addict noknojon has generously tried to help me resolve my issues, and since we are now stuck without a resolution, it was suggested that I move my topic here.  This forum and the people who fix things are able to use bigger and better scans to fix items I'm told.  The link below will hopefully describe my situation without having to repeat everything:

 

 http://www.bleepingcomputer.com/forums/t/499257/internet-hijacker-isearchfanastigames-and-loss-of-desktop-icons-and-apps/page-3#entry3092498

 

At this point, what is still unresolved is that many of my files (with different extensions) are still hidden/moved to another folder.   When I try to locate my files in the search area, they show as shortcuts.  When I double click on some of these shortcuts, the file opens up and it is actually usable (jpg, spreadsheets). Where the missing files were initially in My Documents, it seems they have been moved to Owners Documents.  The original file doesn't show up in the search area under Owners Docs even though I have changed view to show all files, extensions, and hidden system files.  

 

Many of the shortcuts on my desktop were missing (I've added most back) the favorites, history, favorites bar, AVG secure toolbar are missing from my browser, startup menu items mostly missing/hidden.  Many apps. that I open act like they've never been configured before (i.e. windows media play).   I'm sure I can do some kind of manual switcheroo to get most of these things back, but I'm afraid I'll miss something important, or worse yet that the virus is still buried deep inside my computer.  I've probably logged 30 hours of scanning at this point, and I'll do whatever I can to help you help me get this poor old computer healthy again.  Please let me know what you need next, and I will be happy to provide it.  

 

Thanks so much for your attention to my issue.  I know you are probably slammed everyday.  I'll continue to research your site and my computer for any other information I can find.  I look forward to your response.

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:12 AM

Posted 05 July 2013 - 07:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/499733 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 05 July 2013 - 11:09 PM

Since the posting instructions told me not to change anything until someone from this forum worked with me, I have not done anything more to try and resolve my issue on my own other than read other forum info. to see if someone else had the same issue. I am sending through the same information as I sent before which already described my issue in detail.  The link listed below is page 3 of 3.  Pages 1 and 2 list my original issue and the steps another member walked me through until we got stuck and he couldn't help me with deeper scans like Combofix, etc. in that forum.  So I've been patiently awaiting help from someone in this forum. I do not have the original Windows CD, but I made a recovery disk and there is something on my partition for recovery.  Since I haven't done much on my computer since my last post, I did not include another DDS file (I'm writing this from my laptop). 

 

Here is a copy of my original post to this forum::

Since I originally posted on June 25, 2013, and Aussie Addict noknojon has generously tried to help me resolve my issues, and since we are now stuck without a resolution, it was suggested that I move my topic here.  This forum and the people who fix things are able to use bigger and better scans to fix items I'm told.  The link below will hopefully describe my situation without having to repeat everything:

 

 http://www.bleepingcomputer.com/forums/t/499257/internet-hijacker-isearchfanastigames-and-loss-of-desktop-icons-and-apps/page-3#entry3092498

 

At this point, what is still unresolved is that many of my files (with different extensions) are still hidden/moved to another folder.   When I try to locate my files in the search area, they show as shortcuts.  When I double click on some of these shortcuts, the file opens up and it is actually usable (jpg, spreadsheets). Where the missing files were initially in My Documents, it seems they have been moved to Owners Documents.  The original file doesn't show up in the search area under Owners Docs even though I have changed view to show all files, extensions, and hidden system files.  

 

Many of the shortcuts on my desktop were missing (I've added most back) the favorites, history, favorites bar, AVG secure toolbar are missing from my browser, startup menu items mostly missing/hidden.  Many apps. that I open act like they've never been configured before (i.e. windows media play).   I'm sure I can do some kind of manual switcheroo to get most of these things back, but I'm afraid I'll miss something important, or worse yet that the virus is still buried deep inside my computer.  I've probably logged 30 hours of scanning at this point, and I'll do whatever I can to help you help me get this poor old computer healthy again.  Please let me know what you need next, and I will be happy to provide it.  

 

Thanks so much for your attention to my issue.  I know you are probably slammed everyday.  I'll continue to research your site and my computer for any other information I can find.  I look forward to your response.



#4 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 06 July 2013 - 10:26 AM

Now that I am back to my computer, I have run the two DDS files again as requested.  They are attached.  Looking forward to a response.  Thank you in advance for your kind help.

 

JD

Attached Files



#5 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:12 AM

Posted 10 July 2013 - 04:31 PM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

My sincere apologies for the extended wait.

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

Please go here to see a list of programs that need to be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please include the C:\ComboFix.txt in your next reply for further review.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#6 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 10 July 2013 - 06:32 PM

I'm so happy to hear from you!  I thought maybe I got lost in the shuffle :-)  Here is the log you requested.  I look forward to resolving this issue.  I really appreciate you working with me and walking me through the needed steps.  Thanks so much!
 
 
ComboFix 13-07-09.01 - Owner 07/10/2013  15:48:42.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.504.266 [GMT -7:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG update module *Enabled* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\My Documents\~WRL0457.tmp
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\TEMP\WINDOWS
c:\documents and settings\Tom\Application Data\AdobeDLM.log
c:\documents and settings\Tom\My Documents\~WRL0004.tmp
c:\documents and settings\Tom\WINDOWS
c:\windows\dasetup.log
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\help\wmplayer.bak
c:\windows\system\BWCC32.DLL
c:\windows\system32\Cache
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\289c7840d82b6c42.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\2d5868443900d277.fb
c:\windows\system32\Cache\2eee40c6f8b631c1.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\64bc5458c4c4b535.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\86bf72aec9ad8345.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b64f2e2e47046c0f.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\df36fa5fa0bf75a8.fb
c:\windows\system32\Cache\f37b0cb791151606.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\ps2.bat
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-10 to 2013-07-10  )))))))))))))))))))))))))))))))
.
.
2067-02-24 23:21 . 2003-02-05 12:02 79947 -c--a-w- c:\windows\fw20.vxd
2013-06-30 22:34 . 2013-06-30 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-06-30 22:34 . 2013-06-30 22:34 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-06-28 23:51 . 2013-06-28 23:51 -------- d-----w- c:\program files\ESET
2013-06-27 01:53 . 2013-06-27 01:53 -------- d-----w- c:\program files\Common Files\Java
2013-06-27 01:52 . 2013-06-27 01:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-27 00:51 . 2013-06-27 00:51 -------- d-----w- C:\JRT
2013-06-25 19:47 . 2013-06-25 19:47 8281168 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\BingBar\BBSvc\7.1.391.0oemBingBarSetup-Partner.EXE
2013-06-25 13:54 . 2013-07-10 23:08 -------- d-----w- c:\documents and settings\TEMP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-30 22:33 . 2012-09-04 13:10 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-06-27 01:52 . 2013-05-07 21:53 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-27 01:52 . 2012-11-14 19:01 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-27 01:52 . 2010-05-15 03:42 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-12 16:19 . 2012-04-06 18:45 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-12 16:19 . 2011-05-23 02:43 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 22:30 . 2003-08-08 15:35 920064 ----a-w- c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2003-08-08 16:23 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2003-08-08 16:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2008-11-15 19:07 385024 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:26 . 2003-08-08 15:33 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2002-08-29 08:04 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 24576]
"NVIEW"="nview.dll" [2003-05-03 835654]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-05-15 4760816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-03 4640768]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"AutoTKit"="c:\hp\bin\AUTOTKIT.EXE" [2010-05-28 53248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-04-29 4408368]
"vProt"="c:\program files\AVG SafeGuard toolbar\vprot.exe" [2013-06-30 2236080]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=c:\windows\pss\spamsubtract.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-04-04 21:06 958576 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
2003-06-23 04:25 24576 -c--a-w- c:\program files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 14:23 90112 -c--a-w- c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-05-23 10:03 49152 -c--a-w- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-02-25 01:51 53248 -c--a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 11:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-05-15 01:08 4760816 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\magentic_install.exe"=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"c:\\Program Files\\Magentic\\bin\\magentic_install.exe"=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [9/21/2012 4:46 AM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [1/31/2012 4:46 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/22/2012 5:25 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [3/19/2012 5:17 AM 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [9/4/2012 6:10 AM 37664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [5/23/2013 1:11 PM 119056]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2/7/2013 5:31 AM 660504]
R2 vToolbarUpdater15.3.0;vToolbarUpdater15.3.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [6/26/2013 4:30 PM 1598128]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE [4/2/2013 3:01 AM 240264]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [5/14/2013 12:54 AM 4937264]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE [4/2/2013 3:01 AM 193672]
S2 mrtRate;mrtRate; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2/7/2013 5:15 AM 16024]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [2/7/2013 5:31 AM 1223704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-06 15:28 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.71\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 16:19]
.
2012-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2013-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 21:58]
.
2013-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 21:58]
.
2013-07-10 c:\windows\Tasks\User_Feed_Synchronization-{74B2E1BF-C612-47F9-8E1F-BAD1FE9C4BF9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]
.
2013-07-10 c:\windows\Tasks\User_Feed_Synchronization-{CCDFCFF8-72CD-48F4-8FE9-7703CB00AFEC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.2.25
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\15.3.0\ViProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-10 16:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2013-07-10  16:14:57
ComboFix-quarantined-files.txt  2013-07-10 23:14
.
Pre-Run: 19,944,230,912 bytes free
Post-Run: 21,294,800,896 bytes free
.
- - End Of File - - 48A1F14913245C2787B2E228E1197FF5
B716B775FCBDABF0E2DDFF76F15C6790
 

 



#7 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 10 July 2013 - 11:51 PM

I'm not sure what the combofix scan shows you as far as infection goes, but after I ran the scan, I looked around windows explorer for pics, music, docs, etc., and lots of files still appear to be missing as well as my IE toolbars (AVG safe search), history, and favorites etc..  

 

However, when I look for certain files that appear to be missing by using the "search" feature, I can see some of the pics or music, and when I check the properties, they appear to be in the correct place. However, I can't see or get to them through the usual method.  It's as though the attributes have been changed or hidden in some way.  Very frustrating, but can work around it a bit by finding things through search.  Sometimes, I can open it from there, and sometimes I can't.  I have no idea how many files were affected by this issue.  



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:12 AM

Posted 11 July 2013 - 04:45 PM

Hello deloria,

 

I'm so happy to hear from you!  I thought maybe I got lost in the shuffle :-)  Here is the log you requested.  I look forwar

There are so many people that come in every day. I am often quite busy but I have been trying to take logs again so you are very welcome. :)

 

Please try Unhide.exe and let me know if that solves the issue you justt described:

 

http://www.bleepingcomputer.com/forums/t/405109/unhideexe-a-introduction-as-to-what-this-program-does/

 

=====

 

Please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.


Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#9 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 11 July 2013 - 06:42 PM

This was the 3rd time I've tried this application since I started the resolution process on June 25. Files are still not showing up under my documents (even though search says they are there), but when I look under documents and settings\default user\owner's documents, I can see the original missing files under sub folders in that pathway.  Still can't see the AVG Safe search toolbar in IE, etc. either. I'm ready to start the rootkit scan.  I'll set a recovery point first.   
 
 
Unhide by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
 
Program started at: 07/11/2013 03:53:24 PM
Windows Version: Windows XP
 
Please be patient while your files are made visible again.
 
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
 
Processing the C:\ drive
Finished processing the C:\ drive. 270461 files processed.
 
Processing the D:\ drive
Finished processing the D:\ drive. 9429 files processed.
 
The C:\DOCUME~1\TEMP\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
 
Searching for Windows Registry changes made by FakeHDD rogues.
 - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
 - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
 - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.
 
Program finished at: 07/11/2013 04:21:19 PM
Execution time: 0 hours(s), 27 minute(s), and 55 seconds(s)
 

 



#10 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 11 July 2013 - 07:42 PM

LOG 1

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.590000 GHz
Memory total: 527982592, free: 87601152
 
Downloaded database version: v2013.07.11.08
Initializing...
------------ Kernel report ------------
     07/11/2013 16:51:20
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
intelide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
SISAGPX.sys
viaagp1.sys
nv_agp.sys
Mup.sys
avgrkx86.sys
avglogx.sys
avgmfx86.sys
avgidshx.sys
agp440.sys
\SystemRoot\System32\DRIVERS\intelppm.sys
\SystemRoot\System32\DRIVERS\ialmnt5.sys
\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\usbuhci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\System32\DRIVERS\usbehci.sys
\SystemRoot\System32\DRIVERS\ltmdmnt.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\Rtnicxp.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\PS2.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\imapi.sys
\SystemRoot\System32\Drivers\AFS2K.SYS
\SystemRoot\System32\Drivers\MxlW2k.SYS
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ALCXWDM.SYS
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\mouhid.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\ws2ifsl.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\srvkp.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff82aa7030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff82a614e0
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff82aa7030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff82aa8448, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff82aa7030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff82aabf18, DeviceName: \Device\00000061\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff82a614e0, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
The directory C:\WINDOWS\system32\drivers seems inaccessible or encrypted.
Drivers scan is aborted.
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D0C4B2EF
 
Partition information:
 
    Partition 0 type is Other (0xb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 11657457
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 11657520  Numsec = 144622800
    Partition file system is NTFS
    Partition is bootable
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 80026361856 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)...
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_1_11657520_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
 

LOG 2

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org
 
Database version: v2013.07.11.08
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: DELORIA [administrator]
 
7/11/2013 4:51:49 PM
mbar-log-2013-07-11 (16-51-49).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 268078
Time elapsed: 45 minute(s), 19 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

What next Dark Knight?



#11 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 11 July 2013 - 08:44 PM

One more piece of information that may or may not help you:

I was looking at a folder that was created on 6/25/13 (when all my trouble started at bootup).  It is a sub folder called TEMP under documents and settings and is 1.58 GB with 6291 files and 2254 folders.  As I copy logs from my desktop into "my documents", I can find them in the sub folder of "my documents" looking in this TEMP folder.  

 

I also found some of the same files from the TEMP/my documents folder and many others that are missing by looking under docs and settings/owner/owner's documents.  It seems some of the files duplicated themselves and others have been moved.  So confusing........

 

I could move the files that I need so they are all in one area, but I'm not sure where they belong and I don't want to duplicate because my computer doesn't have enough room.  That is my dilemma (after making sure I don't have any more infections on my computer).  The other issue seems to be that I can't make the AVG addon show up on IE.  I can make new shortcuts as I need them, so don't really care about old history or old favorites on the toolbar.

 

My biggest question is how I even got this virus/worm/malware in the first place (so I don't have it happen again.).  

 

Hopefully, I haven't confused you too much about what I'm saying here.  I'm just trying to provide as much info. to you as I can.  Thanks again for all your help.

 

JD



#12 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:12 AM

Posted 12 July 2013 - 06:23 PM

Hello deloria,

 

The other issue seems to be that I can't make the AVG addon show up on IE.  I can make new shortcuts as I need them, so don't really care about old history or old favorites on the toolbar.

Internet Explorer is the weakest browser in terms of security, as it is heavily targeted by malware writers. I strongly recommend switching to Google Chrome or Mozilla Firefox, as they are far more secure.

 

My biggest question is how I even got this virus/worm/malware in the first place (so I don't have it happen again.).

Could have been through a dodgy link or email. Accidentally accessed a nasty website. Hard to say.

 

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#13 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 12 July 2013 - 07:19 PM

Extras.txt is below - By the way, yesterday Windows automatically updated 13 files and Adobe Flashplayer also auto updated.  I actually use Google Chrome as my default browser but sometime use IE 8.0 because Secunia.com doesn't seem to load with Google Chrome.  
 
I downloaded OTL.exe to my desktop but it wouldn't run from there as it thought it was a temporary folder.  So I moved it to owner's documents and ran it from there. It worked. I'll send the other .txt on a separate post.
 
OTL logfile created on: 7/12/2013 4:41:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.52 Mb Total Physical Memory | 180.80 Mb Available Physical Memory | 35.91% Memory free
1.27 Gb Paging File | 0.60 Gb Available in Paging File | 46.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.96 Gb Total Space | 18.50 Gb Free Space | 26.83% Space Free | Partition Type: NTFS
Drive D: | 5.55 Gb Total Space | 0.96 Gb Free Space | 17.29% Space Free | Partition Type: FAT32
 
Computer Name: DELORIA | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/07/12 16:27:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2013/06/30 15:33:42 | 002,236,080 | ---- | M] () -- C:\Program Files\AVG SafeGuard toolbar\vprot.exe
PRC - [2013/06/26 16:28:51 | 001,598,128 | ---- | M] (AVG Secure Search) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe
PRC - [2013/05/23 13:11:42 | 000,119,056 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2013/05/14 18:08:19 | 004,760,816 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2013/05/14 00:54:12 | 004,937,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgidsagent.exe
PRC - [2013/04/29 00:58:42 | 004,408,368 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgui.exe
PRC - [2013/04/18 04:34:38 | 000,283,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe
PRC - [2013/04/04 03:15:08 | 001,117,232 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgnsx.exe
PRC - [2013/04/02 03:01:48 | 000,240,264 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE
PRC - [2013/03/28 02:48:36 | 000,763,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgrsx.exe
PRC - [2013/03/18 02:38:48 | 000,799,280 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgemcx.exe
PRC - [2013/02/19 04:00:58 | 000,448,560 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2013\avgcsrvx.exe
PRC - [2013/02/07 05:31:20 | 000,660,504 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2003/07/14 11:52:44 | 000,040,960 | ---- | M] (Agere Systems) -- C:\WINDOWS\ltmsg.exe
PRC - [2003/05/23 02:55:38 | 000,483,328 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon05.exe
PRC - [2003/02/21 04:07:06 | 000,068,704 | ---- | M] () -- C:\Program Files\Softex\OmniPass\omniServ.exe
PRC - [2003/02/21 03:50:10 | 000,053,248 | ---- | M] () -- C:\Program Files\Softex\OmniPass\OPXPApp.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/06/30 15:33:42 | 002,236,080 | ---- | M] () -- C:\Program Files\AVG SafeGuard toolbar\vprot.exe
MOD - [2013/06/30 15:33:42 | 000,145,072 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\SiteSafety.dll
MOD - [2003/02/21 04:07:06 | 000,068,704 | ---- | M] () -- C:\Program Files\Softex\OmniPass\omniServ.exe
MOD - [2003/02/21 03:50:12 | 000,040,960 | ---- | M] () -- C:\Program Files\Softex\OmniPass\OPXPGina.dll
MOD - [2003/02/21 03:50:10 | 000,053,248 | ---- | M] () -- C:\Program Files\Softex\OmniPass\OPXPApp.exe
MOD - [2003/02/21 03:49:54 | 000,172,032 | ---- | M] () -- C:\Program Files\Softex\OmniPass\OPComm.dll
MOD - [2003/02/21 03:49:44 | 000,061,440 | ---- | M] () -- C:\Program Files\Softex\OmniPass\ginastub.dll
MOD - [2003/02/21 03:49:34 | 000,270,336 | ---- | M] () -- C:\Program Files\Softex\OmniPass\fngrdll.dll
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/12 07:54:52 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/06/26 16:28:51 | 001,598,128 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe -- (vToolbarUpdater15.3.0)
SRV - [2013/05/23 13:11:42 | 000,119,056 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore.exe -- (!SASCORE)
SRV - [2013/05/14 00:54:12 | 004,937,264 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2013/04/18 04:34:38 | 000,283,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2013\avgwdsvc.exe -- (avgwd)
SRV - [2013/04/02 03:01:48 | 000,240,264 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE -- (BBUpdate)
SRV - [2013/04/02 03:01:48 | 000,193,672 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE -- (BBSvc)
SRV - [2013/02/07 05:31:22 | 001,223,704 | ---- | M] (Secunia) [On_Demand | Stopped] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2013/02/07 05:31:20 | 000,660,504 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2003/02/21 04:07:06 | 000,068,704 | ---- | M] () [Auto | Running] -- C:\Program Files\Softex\OmniPass\omniServ.exe -- (omniserv)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Auto | Stopped] --  -- (mrtRate)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\TEMP\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2013/06/30 15:33:42 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2013/03/29 02:53:48 | 000,208,184 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2013/03/21 03:08:24 | 000,182,072 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2013/03/01 10:32:20 | 000,022,328 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2013/02/08 04:37:58 | 000,096,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2013/02/08 04:37:56 | 000,245,048 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avglogx.sys -- (Avglogx)
DRV - [2013/02/08 04:37:52 | 000,060,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2013/02/08 04:37:44 | 000,170,808 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2013/02/08 04:37:40 | 000,039,224 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2013/02/07 05:15:22 | 000,016,024 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf_x86.sys -- (PSI)
DRV - [2011/07/22 09:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/02/25 13:54:56 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 11:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM)
DRV - [2004/08/03 23:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2003/12/12 20:03:10 | 000,652,689 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/08/23 07:23:48 | 000,028,276 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2003/05/06 15:34:56 | 000,394,752 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/04/11 08:51:30 | 000,010,624 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/03/19 22:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp)
DRV - [2003/02/20 16:18:36 | 000,036,608 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)
DRV - [2002/12/27 11:41:00 | 000,026,880 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)
DRV - [2002/10/04 17:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation       ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/06/04 14:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
 
 
========== Chrome  ==========
 
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\15.3.0.11_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\okeonndcffjgnbbjmncoephhknkfpnfl\2_0\
CHR - Extension: No name found = C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013/07/10 16:10:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Reg Error: Value error.) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [AutoTKit] C:\hp\bin\autotkit.exe ()
O4 - HKLM..\Run: [AVG_UI] C:\Program Files\AVG\AVG2013\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LTMSG] C:\WINDOWS\ltmsg.exe (Agere Systems)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [StorageGuard] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG SafeGuard toolbar\vprot.exe ()
O4 - HKCU..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\BackupNotify.exe ( )
O4 - HKCU..\Run: [NVIEW] C:\WINDOWS\System32\nview.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1226978247375 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1349926117109 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 10.25.2)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 1.7.0_25)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 10.25.2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.2.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E1819696-9533-4C57-808A-3DE9DAD36DDB}: DhcpNameServer = 192.168.0.1 205.171.2.25
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll File not found
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.3.0\ViProtocol.dll (AVG Secure Search)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\OPXPGina: DllName - (C:\Program Files\Softex\OmniPass\opxpgina.dll) - C:\Program Files\Softex\OmniPass\OPXPGina.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
NetSvcs: 6to4 -  File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias -  File not found
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: WmdmPmSp -  File not found
 
Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/07/12 16:31:59 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\TEMP\Desktop\OTL.exe
[2013/07/11 16:51:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
[2013/07/11 15:59:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG
[2013/07/11 15:37:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\mbar-1.06.0.1004
[2013/07/10 21:07:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/07/10 16:15:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/07/10 15:31:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/07/10 15:31:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/07/10 15:31:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/07/10 15:31:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/07/10 15:31:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/07/10 15:22:29 | 005,087,643 | R--- | C] (Swearware) -- C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
[2013/06/30 16:31:52 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Administrative Tools
[2013/06/30 15:34:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\AVG SafeGuard toolbar
[2013/06/30 15:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG SafeGuard toolbar
[2013/06/30 15:34:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\AVG SafeGuard toolbar
[2013/06/30 15:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\AVG SafeGuard toolbar
[2013/06/28 16:51:24 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/06/28 16:39:00 | 002,240,864 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\TEMP\My Documents\tdsskiller.exe
[2013/06/26 20:13:31 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\IECompatCache
[2013/06/26 20:11:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\PrivacIE
[2013/06/26 19:48:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Windows Search
[2013/06/26 18:53:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/06/26 18:52:53 | 000,263,592 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/06/26 18:52:42 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/06/26 18:52:41 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/06/26 18:52:40 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/06/26 18:07:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com
[2013/06/26 18:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2013/06/26 17:51:54 | 000,000,000 | ---D | C] -- C:\JRT
[2013/06/26 17:31:39 | 026,315,080 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\TEMP\My Documents\SUPERAntiSpyware.exe
[2013/06/26 16:59:42 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\TEMP\My Documents\JRT.exe
[2013/06/26 16:58:12 | 000,760,775 | ---- | C] (Farbar) -- C:\Documents and Settings\TEMP\My Documents\MiniToolBox.exe
[2013/06/26 16:52:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Downloads
[2013/06/25 19:49:37 | 001,814,144 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\TEMP\My Documents\uSeRiNiT.exe
[2013/06/25 19:26:24 | 000,398,752 | ---- | C] (Bleeping Computer, LLC) -- C:\Documents and Settings\TEMP\My Documents\unhide.exe
[2013/06/25 19:17:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Sun
[2013/06/25 19:17:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Sun
[2013/06/25 12:58:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Malwarebytes
[2013/06/25 12:41:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\AppData
[2013/06/25 07:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\AVG2013
[2013/06/25 07:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Internet Explorer
[2013/06/25 06:59:26 | 000,637,004 | ---- | C] (Sonic Solutions) -- C:\Documents and Settings\TEMP\My Documents\pxengine424.exe
[2013/06/25 06:59:25 | 020,256,064 | ---- | C] (Apple Inc.) -- C:\Documents and Settings\TEMP\My Documents\QuickTimeInstaller7_2.exe
[2013/06/25 06:59:15 | 002,554,592 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\TEMP\My Documents\SansaUpdaterInstall.exe
[2013/06/25 06:59:12 | 002,978,749 | ---- | C] (Macromedia, Inc.) -- C:\Documents and Settings\TEMP\My Documents\sballs2.exe
[2013/06/25 06:59:02 | 006,427,936 | ---- | C] (Microsoft Corporation                                        ) -- C:\Documents and Settings\TEMP\My Documents\screensaverfunpack.exe
[2013/06/25 06:59:02 | 006,275,906 | ---- | C] (Network Associates, Inc.) -- C:\Documents and Settings\TEMP\My Documents\sdat4419.exe
[2013/06/25 06:59:02 | 004,954,024 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\TEMP\My Documents\SetupDl.EXE
[2013/06/25 06:58:45 | 004,354,084 | ---- | C] (Safer Networking Limited                                    ) -- C:\Documents and Settings\TEMP\My Documents\spybotsd13.exe
[2013/06/25 06:58:45 | 002,925,717 | ---- | C] (Macromedia, Inc.) -- C:\Documents and Settings\TEMP\My Documents\spank.exe
[2013/06/25 06:58:35 | 014,968,808 | ---- | C] (Safer Networking Limited                                    ) -- C:\Documents and Settings\TEMP\My Documents\spybotsd160.exe
[2013/06/25 06:58:35 | 009,723,880 | ---- | C] (Safer Networking Limited                                    ) -- C:\Documents and Settings\TEMP\My Documents\spybotsd152.exe
[2013/06/25 06:58:35 | 002,566,736 | ---- | C] (Javacool Software LLC                                       ) -- C:\Documents and Settings\TEMP\My Documents\spywareblastersetup351.exe
[2013/06/25 06:58:35 | 002,560,240 | ---- | C] (Javacool Software LLC                                       ) -- C:\Documents and Settings\TEMP\My Documents\spywareblastersetup34.exe
[2013/06/25 06:57:20 | 001,932,577 | ---- | C] (Macromedia, Inc.) -- C:\Documents and Settings\TEMP\My Documents\TREE.EXE
[2013/06/25 06:57:18 | 002,265,775 | ---- | C] (Macromedia, Inc.) -- C:\Documents and Settings\TEMP\My Documents\VAL.EXE
[2013/06/25 06:56:19 | 005,844,872 | ---- | C] (CNET Networks                                               ) -- C:\Documents and Settings\TEMP\My Documents\wbsamp5.exe
[2013/06/25 06:56:18 | 006,391,520 | ---- | C] (AGCM                                                        ) -- C:\Documents and Settings\TEMP\My Documents\wbsamp5a.exe
[2013/06/25 06:56:03 | 000,494,312 | ---- | C] (Microsoft Corp.) -- C:\Documents and Settings\TEMP\My Documents\WGADiag2.exe
[2013/06/25 06:56:02 | 001,364,256 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\TEMP\My Documents\WLToolbarSetup_en.exe
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\JewelMatch2
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\interMute
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Identities
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\ICAClient
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Help
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Google
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Gogii Games
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\GameHouse
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\funkitron
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Apple Computer
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\AdobeUM
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Adobe
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\7Wonders
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\.jpi_cache
[2013/06/25 06:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\.java
[2013/06/25 06:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Microgaming
[2013/06/25 06:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\MGI
[2013/06/25 06:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Magic Academy
[2013/06/25 06:55:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Macromedia
[2013/06/25 06:55:38 | 000,000,000 | --SD | C] -- C:\Documents and Settings\TEMP\Application Data\Microsoft
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Super-Cow
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\SprillBermudeEng
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Sonic
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Skip-Bo
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\SampleView
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Real
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\PlayFirst
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Pirateville
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Mysteryville2
[2013/06/25 06:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Motive
[2013/06/25 06:55:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Favorites
[2013/06/25 06:55:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Application Data
[2013/06/25 06:55:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\IETldCache
[2013/06/25 06:55:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\TEMP\Cookies
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Wildfire
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Webshots
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\TuneUp Software
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\The Labyrinth Plus! Edition
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Application Data\Symantec
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Desktop
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Apple
[2013/06/25 06:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Adobe
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Identities
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\HP
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Help
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Grubby Games
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Google
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Avg2013
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\ApplicationHistory
[2013/06/25 06:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Apple Computer
[2013/06/25 06:55:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\IsolatedStorage
[2013/06/25 06:55:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\IM
[2013/06/25 06:55:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\SpookyManor
[2013/06/25 06:55:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\RcIncidents
[2013/06/25 06:55:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft
[2013/06/25 06:55:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Local Settings\Application Data\JollyBear
[2013/06/25 06:55:28 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\TEMP\Local Settings
[2013/06/25 06:55:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\BMPFIL~1
[2013/06/25 06:55:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Application_Logs
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\ICONS
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\hello stationary_files
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\GardenDefense
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Doc Talk
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\CURSORS
[2013/06/25 06:55:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Boggle Supreme Documents
[2013/06/25 06:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\My Games
[2013/06/25 06:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\My eBooks
[2013/06/25 06:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\My Albums
[2013/06/25 06:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\MGI
[2013/06/25 06:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Magentic
[2013/06/25 06:55:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\My Documents\My Music
[2013/06/25 06:55:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\TEMP\My Documents\My Videos
[2013/06/25 06:55:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\My Documents\My Pictures
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Toms girl  pixs
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Symantec
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Slingo Quest Documents
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Rhapsody_ErrorLogs
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Reset_Subinacl
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\popcapvenice crack
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Pat Sajak's Trivia Gems
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\New Folder
[2013/06/25 06:55:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\My Received Files
[2013/06/25 06:55:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\SendTo
[2013/06/25 06:55:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Recent
[2013/06/25 06:55:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\My Documents
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Webshots Imported Collections
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\WAVS
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\My Documents\Updater5
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Saved Games
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\PrintHood
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\NetHood
[2013/06/25 06:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Absolute Poker
[2013/06/25 06:55:06 | 000,000,000 | --SD | C] -- C:\Documents and Settings\TEMP\UserData
[2013/06/25 06:55:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Start Menu
[2013/06/25 06:55:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Accessories
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Windows XP Winter Fun Packs
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Templates
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Startup
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\PopCap Games
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\Online Services
[2013/06/25 06:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TEMP\Start Menu\Programs\GameHouse
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/07/12 16:51:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CCDFCFF8-72CD-48F4-8FE9-7703CB00AFEC}.job
[2013/07/12 16:50:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{74B2E1BF-C612-47F9-8E1F-BAD1FE9C4BF9}.job
[2013/07/12 16:28:03 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/12 16:27:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\TEMP\Desktop\OTL.exe
[2013/07/12 16:18:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/07/12 12:37:00 | 000,000,267 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2013/07/12 08:28:02 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/12 07:54:46 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/07/12 07:54:46 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/07/12 07:39:23 | 000,001,464 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2013/07/12 07:37:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/07/12 07:37:22 | 000,282,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/07/11 19:54:44 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/07/11 19:51:02 | 000,464,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/07/11 19:51:02 | 000,079,792 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/07/11 15:59:05 | 000,000,713 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2013.lnk
[2013/07/11 15:33:00 | 013,399,154 | ---- | M] () -- C:\Documents and Settings\TEMP\My Documents\mbar-1.06.0.1004.zip
[2013/07/11 15:09:43 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/07/10 16:10:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/07/10 15:22:12 | 005,087,643 | R--- | M] (Swearware) -- C:\Documents and Settings\TEMP\Desktop\ComboFix.exe
[2013/07/06 08:54:09 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Bejeweled 2.lnk
[2013/07/06 08:46:21 | 000,001,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/06/30 15:33:42 | 000,037,664 | ---- | M] (AVG Technologies) -- C:\WINDOWS\System32\drivers\avgtpx86.sys
[2013/06/30 15:01:14 | 000,002,307 | ---- | M] () -- C:\Documents and Settings\TEMP\Desktop\Excel.lnk
[2013/06/30 14:58:33 | 000,002,401 | ---- | M] () -- C:\Documents and Settings\TEMP\Desktop\Word.lnk
[2013/06/28 16:38:46 | 002,240,864 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\TEMP\My Documents\tdsskiller.exe
[2013/06/27 20:10:25 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2013/06/26 18:52:14 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013/06/26 18:52:09 | 000,263,592 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013/06/26 18:52:09 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013/06/26 18:52:09 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013/06/26 18:52:09 | 000,144,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013/06/26 18:52:08 | 000,867,240 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2013/06/26 18:52:08 | 000,789,416 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013/06/26 18:06:49 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013/06/26 17:31:28 | 026,315,080 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\TEMP\My Documents\SUPERAntiSpyware.exe
[2013/06/26 16:59:37 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\TEMP\My Documents\JRT.exe
[2013/06/26 16:59:07 | 000,648,201 | ---- | M] () -- C:\Documents and Settings\TEMP\My Documents\adwcleaner.exe
[2013/06/26 16:57:00 | 000,760,775 | ---- | M] (Farbar) -- C:\Documents and Settings\TEMP\My Documents\MiniToolBox.exe
[2013/06/26 16:53:13 | 000,890,988 | ---- | M] () -- C:\Documents and Settings\TEMP\My Documents\SecurityCheck.exe
[2013/06/25 22:06:02 | 000,000,811 | ---- | M] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/06/25 22:06:02 | 000,000,799 | ---- | M] () -- C:\Documents and Settings\TEMP\Desktop\Windows Media Player.lnk
[2013/06/25 19:49:56 | 001,814,144 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\TEMP\My Documents\uSeRiNiT.exe
[2013/06/25 19:26:25 | 000,398,752 | ---- | M] (Bleeping Computer, LLC) -- C:\Documents and Settings\TEMP\My Documents\unhide.exe
[2013/06/25 19:05:49 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2013/06/25 15:35:18 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/25 12:40:36 | 000,001,842 | ---- | M] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/25 07:18:59 | 000,000,127 | ---- | M] () -- C:\Documents and Settings\TEMP\Local Settings\Application Data\fusioncache.dat
[2013/06/25 07:15:47 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/06/25 07:15:41 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2067/02/24 16:21:18 | 000,079,947 | ---- | C] () -- C:\WINDOWS\fw20.vxd
[2013/07/11 15:33:19 | 013,399,154 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\mbar-1.06.0.1004.zip
[2013/07/10 15:31:45 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/07/10 15:31:45 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/07/10 15:31:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/07/10 15:31:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/07/10 15:31:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/07/06 08:54:09 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Bejeweled 2.lnk
[2013/06/30 14:58:33 | 000,002,401 | ---- | C] () -- C:\Documents and Settings\TEMP\Desktop\Word.lnk
[2013/06/30 14:58:28 | 000,002,307 | ---- | C] () -- C:\Documents and Settings\TEMP\Desktop\Excel.lnk
[2013/06/26 18:06:49 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2013/06/26 16:59:20 | 000,648,201 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\adwcleaner.exe
[2013/06/26 16:52:23 | 000,890,988 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\SecurityCheck.exe
[2013/06/25 22:06:02 | 000,000,811 | ---- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2013/06/25 22:06:02 | 000,000,799 | ---- | C] () -- C:\Documents and Settings\TEMP\Desktop\Windows Media Player.lnk
[2013/06/25 07:18:59 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\TEMP\Local Settings\Application Data\fusioncache.dat
[2013/06/25 07:15:47 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/06/25 07:15:46 | 000,001,842 | ---- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/06/25 07:15:41 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2013/06/25 06:59:58 | 003,436,640 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\NORTON lusetup(use before downloading new update files).exe
[2013/06/25 06:59:38 | 005,731,840 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\ParadisePokerSetup.exe
[2013/06/25 06:59:38 | 002,959,605 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\PartyPokerSetup.exe
[2013/06/25 06:59:38 | 001,427,204 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\owie 3.JPG
[2013/06/25 06:59:36 | 003,107,728 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\PokerStarsInstallPM.exe
[2013/06/25 06:59:36 | 000,000,213 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\poinsettia.gif
[2013/06/25 06:59:35 | 001,724,368 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\PopNDropInstall.exe
[2013/06/25 06:59:26 | 001,018,645 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\PUFF3X.EXE
[2013/06/25 06:59:23 | 000,001,898 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\redshirt-sad[1]..jpg
[2013/06/25 06:59:22 | 000,001,825 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\redshirt-winks[1]..jpg
[2013/06/25 06:59:21 | 000,105,865 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\Reset_subinacl.zip
[2013/06/25 06:59:20 | 000,140,064 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\rhapsody.zip
[2013/06/25 06:59:04 | 002,720,736 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\SBCollapseInstall.exe
[2013/06/25 06:59:01 | 005,165,296 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\shape_solitaire-setup.exe
[2013/06/25 06:59:01 | 000,001,756 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\skull-mad[1]..jpg
[2013/06/25 06:59:01 | 000,001,572 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\skull-cool[2]..jpg
[2013/06/25 06:59:01 | 000,001,297 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\skull-bored[1]..jpg
[2013/06/25 06:59:01 | 000,001,288 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\skull-gasps[1]..jpg
[2013/06/25 06:59:01 | 000,001,285 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\skull-sleeps[1]..jpg
[2013/06/25 06:58:59 | 000,207,874 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\SmartDownload.exe
[2013/06/25 06:58:51 | 005,707,543 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\Snood352Setup.exe
[2013/06/25 06:58:51 | 000,000,165 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\snowflake.gif
[2013/06/25 06:58:34 | 000,000,203 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\stocking.gif
[2013/06/25 06:58:33 | 003,876,296 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\TapaJamInstall.exe
[2013/06/25 06:58:33 | 001,537,922 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\SuperGranny4.exe
[2013/06/25 06:58:33 | 000,004,951 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\team-logodeadmeat.gif
[2013/06/25 06:57:20 | 000,788,220 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\UnPackerInstallation.exe
[2013/06/25 06:57:18 | 000,439,510 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\VirusScan.reg
[2013/06/25 06:57:17 | 000,035,640 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\VirusScan.zip
[2013/06/25 06:57:17 | 000,005,331 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\VS8.reg
[2013/06/25 06:56:21 | 001,556,596 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\WBSAMP.EXE
[2013/06/25 06:56:02 | 000,072,868 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\wildcatlogo.gif
[2013/06/25 06:56:01 | 001,206,366 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\wrar371.exe
[2013/06/25 06:56:01 | 000,126,628 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\wyoming hot tub.jpg
[2013/06/25 06:56:01 | 000,004,284 | ---- | C] () -- C:\Documents and Settings\TEMP\My Documents\ZbThumbnail.info
[2013/06/25 06:55:43 | 000,000,004 | -HS- | C] () -- C:\Documents and Settings\TEMP\win_rhtdo53x4
[2012/02/16 08:21:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/10/14 15:15:47 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2007/09/16 20:01:20 | 000,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
 
========== ZeroAccess Check ==========
 
[2003/08/23 06:16:33 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== Custom Scans ==========
 
< %SYSTEMDRIVE%\*.* >
[2013/06/26 17:36:28 | 000,007,413 | ---- | M] () -- C:\AdwCleaner[S1].txt
[2008/11/15 01:56:10 | 000,000,196 | RHS- | M] () -- C:\BOOT.BAK
[2013/06/25 19:05:49 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2002/08/29 05:00:00 | 000,245,920 | RHS- | M] () -- C:\cmldr
[2013/07/10 16:14:58 | 000,018,363 | ---- | M] () -- C:\ComboFix.txt
[2003/08/23 05:53:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2003/08/23 05:53:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/11/15 12:02:42 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/11/18 19:25:55 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2013/07/12 16:29:39 | 866,017,280 | -HS- | M] () -- C:\pagefile.sys
[2013/06/28 16:42:23 | 000,084,816 | ---- | M] () -- C:\TDSSKiller.2.8.18.0_28.06.2013_16.39.50_log.txt
[2012/12/02 19:25:25 | 000,026,112 | ---- | M] () -- C:\wii info.xls
[2012/05/15 08:15:55 | 000,000,792 | ---- | M] () -- C:\{8B49D170-407C-42B3-A74F-8D36C0966020}
[2011/10/11 06:07:31 | 000,000,296 | ---- | M] () -- C:\{C2306F69-84A5-4E8D-B548-F9CC5332E6E2}
[2012/01/02 13:55:29 | 000,000,304 | ---- | M] () -- C:\{D2715397-1FAD-4628-8F92-A9CBB39509BC}
 
< %systemroot%\*. /mp /s >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2013-07-12 02:58:14
 
< End of report >


#14 deloria

deloria
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 12 July 2013 - 07:29 PM

Oops, looks like this is the extras.txt and the last one was the OTL.txt.  I mixed them up. Sorry.  Wow, there is a lot of information here.  I'm amazed at what you can figure out with all this stuff.  I'm so glad you know what you are doing Dark Knight :-)
 
 
OTL Extras logfile created on: 7/12/2013 4:41:47 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.52 Mb Total Physical Memory | 180.80 Mb Available Physical Memory | 35.91% Memory free
1.27 Gb Paging File | 0.60 Gb Available in Paging File | 46.98% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.96 Gb Total Space | 18.50 Gb Free Space | 26.83% Space Free | Partition Type: NTFS
Drive D: | 5.55 Gb Total Space | 0.96 Gb Free Space | 17.29% Space Free | Partition Type: FAT32
 
Computer Name: DELORIA | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe" = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe:*:Enabled:BackWeb-137903 -- ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Documents and Settings\Owner\My Documents\magentic_install.exe" = C:\Documents and Settings\Owner\My Documents\magentic_install.exe:*:Enabled:IncrediMail Installer -- (IncrediMail Ltd.)
"C:\Program Files\Magentic\bin\Magentic.exe" = C:\Program Files\Magentic\bin\Magentic.exe:*:Enabled:Magentic -- ()
"C:\Program Files\Magentic\bin\MgApp.exe" = C:\Program Files\Magentic\bin\MgApp.exe:*:Enabled:Magentic -- ()
"C:\Program Files\Magentic\bin\magentic_install.exe" = C:\Program Files\Magentic\bin\magentic_install.exe:*:Enabled:IncrediMail Installer -- (IncrediMail Ltd.)
"C:\Program Files\Magentic\bin\MgImp.exe" = C:\Program Files\Magentic\bin\MgImp.exe:*:Enabled:Magentic -- (IncrediMail, Ltd.)
"C:\WINDOWS\system32\mshta.exe" = C:\WINDOWS\system32\mshta.exe:*:Enabled:Microsoft ® HTML Application host -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Disabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Disabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\AVG\AVG2013\avgmfapx.exe" = C:\Program Files\AVG\AVG2013\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2013\avgnsx.exe" = C:\Program Files\AVG\AVG2013\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2013\avgdiagex.exe" = C:\Program Files\AVG\AVG2013\avgdiagex.exe:*:Enabled:AVG Diagnostics 2013 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2013\avgemcx.exe" = C:\Program Files\AVG\AVG2013\avgemcx.exe:*:Enabled:Personal Email Scanner -- (AVG Technologies CZ, s.r.o.)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{0613467F-A45E-4CB1-9ECE-1F3DD79FB927}" = Easy Internet Sign-up
"{069730C2-755A-485B-A205-27A1AAFA836A}" = InstantShareAlert
"{098637A9-C208-4398-8374-853151D35200}" = SkinsHP2
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{11946FA8-329A-4DDF-B867-A32781FED8EE}" = HPImageZone
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83217025FF}" = Java 7 Update 25
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{2E132061-C78A-48D4-A899-1D13B9D189FA}" = Memories Disc Creator 2.0
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{2F9EEAFC-F952-4771-9AD3-23F724D7FDFE}" = Coby Media Manager
"{305B23E7-F8D8-4B92-83AA-5AE0D0090DE7}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42948B02-7191-40CF-92AA-4E330869B28B}" = HPIZ Fix2
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4FCC384C-18EA-4E25-9281-A06AE006D219}" = Weblink
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}" = HP Unload DLL Patch
"{5C650855-4C2B-418F-A747-8B3D8E3FF2A8}" = TrayApp
"{5D7F0A0E-369E-46C0-9F99-FAB21A064781}" = HP Photo and Imaging 2.0 - Photosmart Cameras
"{5E4339CF-F287-4DB9-BE23-D8460487B3A3}" = AVG 2013
"{62B3B82F-B9B1-4D8C-B5D1-C3DAEA1F73AA}" = PhotoGallery
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{642B473F-2584-4C21-AB10-6D1EF28BD601}" = QuickProjects
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6EA78F57-89F2-4B2E-8ADB-3FA6865D32EF}" = AVG 2013
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{75AE8014-1184-4BC0-B279-C879540719EE}" = PhotoMail Maker
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{788A0222-5690-4212-AA9C-C48FD0E1C9AE}" = Photo Notifier and Animation Creator
"{7BBD57D6-09B1-4CC3-9664-A0D53EE25247}" = PSShortcutsP
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84464E93-0222-42E5-8CCE-A618F86210F3}" = SkinsHP1
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A62A068-3FD6-495A-9F66-26FE94F32EC9}" = Rhapsody Player Engine
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{98386532-89B5-42FF-AC49-60C0D9DBD8B1}" = CreativeProjects
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.03)
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}" = QuickTime
"{B9266252-00CB-4140-B740-DE88FC0F7609}" = hpmdtab
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C224DBAC-57F4-40FD-BB83-09DB532CCD68}" = HPSystemDiagnostics
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF07F56D-F9FD-45CB-8E2B-48786B5B5723}" = Director
"{CFD1B282-555D-494d-8231-4175C2AF08C2}" = PrintScreen
"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = HP Organize
"{D2A0F8F4-CE50-4857-A21C-3061682B2E87}" = Sansa Media Converter
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E461E45A-2B48-42FA-90E1-6F36D85DF101}" = Bing Bar
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}" = Microsoft Plus! for Windows XP
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}" = OmniPass
"{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"1ABC286C-DE10-4590-BEFF-4D0DFF5EA1EC" = GemMaster 3 from Hewlett-Packard Desktops (remove only)
"1FEF9671-50F6-4CB0-9E96-304EB14158E0" = Honeycombs from Hewlett-Packard Desktops (remove only)
"342970EF-F8DF-4E9B-8477-A1A03E3E15E1" = STX from Hewlett-Packard Desktops (remove only)
"357ECB62-CD36-4B63-B57E-769D0CA174F4" = Blasterball 2 from Hewlett-Packard Desktops (remove only)
"36317AE4-57EC-4F3E-B828-009A3DD96BE8" = Polar Bowler from Hewlett-Packard Desktops (remove only)
"4F0AE1FB-4082-4A27-8363-05D292D92FB0" = Virtual Warfare from Hewlett-Packard Desktops (remove only)
"53EF27E9-150C-4063-8343-61C45FC6BB98" = Mars Rover from Hewlett-Packard Desktops (remove only)
"5415BC25-6D6C-46C4-B34C-EA8470FE56D5" = Blackhawk Striker from Hewlett-Packard Desktops (remove only)
"5F804D2B-A66D-4F0A-B64E-FBDA3F52E3F8" = Slyder from Hewlett-Packard Desktops (remove only)
"62067F4C-84A9-45B9-8573-B90468B0A3EF" = Orbital from Hewlett-Packard Desktops (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Amazing Adventures Around the World" = Amazing Adventures Around the World
"Amazing Adventures The Lost Tomb" = Amazing Adventures The Lost Tomb
"American Greetings Print 2.0" = American Greetings® Print! Premium 2
"am-texttwist2" = TextTwist 2
"AVG" = AVG 2013
"AVG SafeGuard toolbar" = AVG SafeGuard toolbar
"BackWeb-137903 Uninstaller" = Updates from HP
"Bejeweled 2 Deluxe" = Bejeweled 2 Deluxe
"BFBCBAE3-8293-4215-9C4F-C2402C118EDB" = Otto from Hewlett-Packard Desktops (remove only)
"Blood Ties" = Blood Ties
"Burger Rush" = Burger Rush
"C99127BE-FDE5-49BD-9621-BFE5DF19AA34" = Cannonballs from Hewlett-Packard Desktops (remove only)
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CLUE Classic" = CLUE Classic
"CSCLIB" = Canon Camera Support Core Library
"D11F7128-8CBD-408B-8BF8-034604DEDD42" = Bounce from Hewlett-Packard Desktops (remove only)
"DA44615A-C243-46A4-8E47-184CFF33CD38" = Five Card Frenzy from Hewlett-Packard Desktops (remove only)
"DF479CEA-34C0-460F-9B56-93BCE4CD4086" = Excavation from Hewlett-Packard Desktops (remove only)
"EOS Utility" = Canon Utilities EOS Utility
"ESET Online Scanner" = ESET Online Scanner v3
"GameHouse" = GameHouse
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"HP Instant Support" = HP Instant Support
"HP Photo & Imaging" = HP Photo & Imaging 3.0
"HPTOOLKIT" = toolkit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0613467F-A45E-4CB1-9ECE-1F3DD79FB927}" = Easy Internet Sign-up
"InstallShield_{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition
"Java Web Start" = Java Web Start
"Jewel Quest Mysteries" = Jewel Quest Mysteries
"Lucy's Expedition" = Lucy's Expedition
"Magentic" = Magentic
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"MGI_PRISM_V4_0" = MGI PhotoSuite 4 (Remove Only)
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Gart Driver" = NVIDIA Gart Driver
"Photo Notifier and Animation Creator" = Photo Notifier and Animation Creator
"Photo Organizer 1.8" = Photo Organizer
"PhotoMail" = PhotoMail Maker
"PhotoStitch" = Canon Utilities PhotoStitch
"Platypus" = Platypus
"Platypus II" = Platypus II
"Private Eye Greatest Unsolved Mysteries" = Private Eye Greatest Unsolved Mysteries
"PS2" = PS2
"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions
"Python 2.2.1" = Python 2.2.1
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"S3Display" = S3Display
"S3Gamma2" = S3Gamma2
"S3Info2" = S3Info2
"S3Overlay" = S3Overlay
"Scrapbook Paige" = Scrapbook Paige
"Secunia PSI" = Secunia PSI (3.0.0.6005)
"Settings Alerter" = Settings Alerter
"Shangri La 2 Deluxe" = Shangri La 2 Deluxe
"SpamSubtract" = SpamSubtract
"SpywareBlaster_is1" = SpywareBlaster 4.1
"The Hidden Object Show Season 2" = The Hidden Object Show Season 2
"The Mystery of the Crystal Portal" = The Mystery of the Crystal Portal
"The Nightshift Code" = The Nightshift Code
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Webshots Desktop_is1" = Webshots Desktop
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 7/11/2013 10:43:08 PM | Computer Name = DELORIA | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
 - Failed to compile: C:\Program Files\Windows Live\Writer\WindowsLiveWriter.exe
 . Error code = 0x80070020  
 
Error - 7/12/2013 10:48:27 AM | Computer Name = DELORIA | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
 - Failed to compile: System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
 . Error code = 0x80070020  
 
[ System Events ]
Error - 6/30/2013 3:42:31 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/1/2013 9:52:40 AM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/6/2013 10:48:15 AM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/10/2013 1:49:08 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/10/2013 6:02:36 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/10/2013 6:48:00 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7034
Description = The Softex OmniPass Service service terminated unexpectedly.  It has
 done this 1 time(s).
 
Error - 7/11/2013 6:10:17 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
Error - 7/11/2013 6:52:45 PM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
 the avgwd service.
 
Error - 7/12/2013 10:37:33 AM | Computer Name = DELORIA | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
 while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring
 the volume.
 
Error - 7/12/2013 10:38:24 AM | Computer Name = DELORIA | Source = Service Control Manager | ID = 7000
Description = The mrtRate service failed to start due to the following error:   %%2
 
 
< End of report >
 

 



#15 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:01:12 AM

Posted 12 July 2013 - 08:01 PM

Good morning deloria,

 

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    :Commands
    [EmptyTemp]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

=====

With this weird TEMP issue you have raised, please see this topic and see if it helps:

 

http://www.techsupportforum.com/forums/f10/strange-problem-c-documents-and-settings-temp-605942.html

 

=====

How are things on your computer now?

 


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users