Win32/Nuqel.E and BankerFox.A

View previous topic View next topic Go down

Win32/Nuqel.E and BankerFox.A

Post by taxirayray on 9th February 2010, 7:45 pm

I am having problems with these two viruses. I have picked up from reading a few posts that you will need this. I got OTL working by chaning the file name to explorer.exe that I read somewhere on here as well. Please please please help me!



OTL logfile created on: 2/9/2010 2:38:50 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Justin\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 219.00 Mb Available Physical Memory | 49.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 45.11 Gb Free Space | 80.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEVIL
Current User Name: Justin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/09 14:20:39 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Justin\Desktop\explorer.exe
PRC - [2010/02/08 19:17:08 | 000,458,496 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe
PRC - [2009/12/11 15:57:56 | 000,948,672 | R--- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
PRC - [2009/11/12 16:33:10 | 000,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/11/10 23:08:18 | 000,417,792 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/10/18 21:05:26 | 000,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/05/15 21:27:50 | 000,397,312 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe


========== Modules (SafeList) ==========

MOD - [2010/02/09 14:20:39 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Justin\Desktop\explorer.exe
MOD - [2004/08/04 00:57:02 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Avg7UpdSvc)
SRV - File not found [Auto | Stopped] -- -- (Avg7Alrt)
SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/06/04 22:14:50 | 000,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2007/06/04 22:14:50 | 000,131,072 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/14 21:35:30 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2006/11/08 16:35:38 | 000,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 16:35:36 | 000,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2004/05/15 21:27:50 | 000,397,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2003/02/20 18:19:38 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)


========== Driver Services (SafeList) ==========

DRV - [2009/05/18 14:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/12/20 13:03:10 | 000,010,760 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avgclean.sys.install_backup -- (AvgClean)
DRV - [2007/10/22 15:41:37 | 000,821,856 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avg7core.sys.install_backup -- (Avg7Core)
DRV - [2007/04/03 20:49:07 | 000,027,776 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avg7rsxp.sys.install_backup -- (Avg7RsXP)
DRV - [2007/04/03 20:49:07 | 000,004,224 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avg7rsw.sys.install_backup -- (Avg7RsW)
DRV - [2007/04/03 20:48:47 | 000,004,960 | ---- | M] (GRISOFT, s.r.o.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgtdi.sys.install_backup -- (AvgTdi)
DRV - [2007/03/07 23:20:50 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/03/07 23:20:49 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/07 23:20:48 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2005/10/20 20:47:05 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023x.sys -- (usb_rndisx)
DRV - [2005/06/24 18:36:16 | 000,039,036 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2005/05/26 11:01:36 | 000,038,144 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2005/05/26 11:01:18 | 000,021,344 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2004/08/03 22:32:22 | 000,231,552 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97ali.sys -- (aliadwdm)
DRV - [2004/05/15 21:29:12 | 000,701,952 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003/05/02 10:58:22 | 000,173,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2001/08/23 07:00:00 | 000,027,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2001/08/23 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/23 07:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:56:16 | 000,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 07:12:32 | 000,016,074 | ---- | M] (NETGEAR Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FA312nd5.sys -- (FA312)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: {336dc353-5272-420c-84e7-ba1f3c9c2aeb}:1.300.299
FF - prefs.js..extensions.enabledItems: {1CD12824-AE3B-44EE-BD8F-403F1E48FD3A}:0.9.17
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..keyword.URL: "http://search.freecause.com/search?fr=freecause&ourmark=3&type=60459&p="


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/27 00:46:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/17 19:41:59 | 000,000,000 | ---D | M]

[2008/08/27 19:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Mozilla\Extensions
[2010/02/09 09:27:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\extensions
[2009/12/09 09:30:24 | 000,000,000 | ---D | M] (GoodSearch Toolbar) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\extensions\{1CD12824-AE3B-44EE-BD8F-403F1E48FD3A}
[2010/01/10 21:31:32 | 000,000,000 | ---D | M] (Causes) -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\extensions\{336dc353-5272-420c-84e7-ba1f3c9c2aeb}
[2010/01/10 21:32:23 | 000,001,720 | ---- | M] () -- C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\searchplugins\causes-search.xml
[2010/02/09 09:27:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2009/11/13 15:34:12 | 000,000,161 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 antiviraprof2009.microsoft.com
O1 - Hosts: 91.212.127.227 antiviraprof2009.com
O1 - Hosts: 91.212.127.227 [You must be registered and logged in to see this link.]
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (HP Print Clips) - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [fvilrcst] C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe ()
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKCU..\Run: [fvilrcst] C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe ()
O4 - HKCU..\Run: [tcactive] C:\Program Files\The Cleaner\tcap.exe (MooSoft Development Inc)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} [You must be registered and logged in to see this link.] (MySpace Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} [You must be registered and logged in to see this link.] (Get_ActiveX Control)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.77.134 68.87.72.134
O20 - HKLM Winlogon: Shell - (Explorer.exe) - Explorer.exe (OldTimer Tools)
O24 - Desktop WallPaper: C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Justin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/06 22:20:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/09 14:28:13 | 000,000,000 | ---D | C] -- C:\cmdcons
[2010/02/09 14:27:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/09 14:27:23 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/09 14:27:23 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/09 14:27:23 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/09 14:27:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/09 14:27:14 | 000,000,000 | --SD | C] -- C:\commy
[2010/02/09 14:26:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/09 14:20:42 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Justin\Desktop\explorer.exe
[2010/02/09 13:05:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Application Data\thecleaner
[2010/02/09 13:05:01 | 000,000,000 | ---D | C] -- C:\Program Files\The Cleaner
[2010/02/09 13:03:11 | 029,081,776 | ---- | C] (MooSoft Development Inc ) -- C:\Documents and Settings\Justin\Desktop\cleaner6_setup.exe
[2010/02/09 12:48:39 | 037,781,272 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\All Users\Desktop\TrendMicro_TAV_17.50_en-US_32-bit.exe
[2010/02/09 12:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2010/02/09 12:27:52 | 069,870,696 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Justin\Desktop\kav9.0.0.736en.exe
[2010/02/09 11:38:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\TrendMicro_TAV_17.50_en-US_32-bit
[2010/02/09 11:36:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Desktop\TrendMicro_Downloader
[2010/02/09 11:36:07 | 001,997,856 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Justin\Desktop\TrendMicro_Downloader.exe
[2010/02/09 11:19:43 | 001,840,232 | ---- | C] (Trend Micro) -- C:\Documents and Settings\Justin\Desktop\HousecallLauncher.exe
[2010/02/09 11:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/02/09 11:01:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/02/09 11:01:50 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/02/09 11:01:50 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/09 09:39:32 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/02/08 20:39:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Application Data\AVG8
[2010/02/08 20:39:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/08 20:28:17 | 046,664,160 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Justin\My Documents\avinstall.exe
[2010/02/08 20:19:45 | 000,891,192 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Justin\My Documents\avg_avwt_stb_all_9_40.exe
[2010/02/08 19:27:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/02/08 19:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar
[2010/01/17 19:43:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/01/17 19:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Local Settings\Application Data\AIM
[2010/01/17 19:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/01/17 19:41:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL Downloads
[2010/01/15 09:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/01/15 09:33:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/01/15 09:31:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/11/16 00:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2008/11/03 12:01:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2008/11/03 12:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2007/11/29 19:49:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Talkback
[2007/11/27 15:48:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2007/11/27 15:48:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2007/04/12 19:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Viewpoint
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/09 14:38:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/09 14:38:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/09 14:28:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/09 14:22:50 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\HijackThis.msi
[2010/02/09 14:20:39 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Justin\Desktop\explorer.exe
[2010/02/09 14:08:47 | 003,852,756 | R--- | M] () -- C:\Documents and Settings\Justin\Desktop\commy.exe
[2010/02/09 14:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At63.job
[2010/02/09 14:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/02/09 14:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/02/09 13:12:36 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Justin\NTUSER.DAT
[2010/02/09 13:12:36 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Justin\ntuser.ini
[2010/02/09 13:12:31 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\IconCache.db
[2010/02/09 13:05:13 | 000,000,645 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Cleaner 2010.lnk
[2010/02/09 13:04:28 | 029,081,776 | ---- | M] (MooSoft Development Inc ) -- C:\Documents and Settings\Justin\Desktop\cleaner6_setup.exe
[2010/02/09 12:50:36 | 037,781,272 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\All Users\Desktop\TrendMicro_TAV_17.50_en-US_32-bit.exe
[2010/02/09 12:31:23 | 069,870,696 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Justin\Desktop\kav9.0.0.736en.exe
[2010/02/09 11:36:10 | 001,997,856 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Justin\Desktop\TrendMicro_Downloader.exe
[2010/02/09 11:29:24 | 001,840,232 | ---- | M] (Trend Micro) -- C:\Documents and Settings\Justin\Desktop\HousecallLauncher.exe
[2010/02/09 11:08:56 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\housecall.guid.cache
[2010/02/09 11:03:14 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/09 10:06:01 | 000,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/08 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At71.job
[2010/02/08 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/02/08 22:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/02/08 21:00:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At70.job
[2010/02/08 21:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/02/08 21:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/02/08 20:33:29 | 046,664,160 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Justin\My Documents\avinstall.exe
[2010/02/08 20:19:44 | 000,891,192 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Justin\My Documents\avg_avwt_stb_all_9_40.exe
[2010/02/08 20:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At69.job
[2010/02/08 20:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/02/08 20:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/02/08 19:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At68.job
[2010/02/08 19:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/02/08 19:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/02/08 10:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At59.job
[2010/02/08 10:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/02/08 10:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/02/07 12:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At61.job
[2010/02/07 12:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/02/07 12:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/02/07 11:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At60.job
[2010/02/07 11:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/02/07 11:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/02/06 18:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At67.job
[2010/02/06 18:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/02/06 18:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/02/06 03:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At52.job
[2010/02/06 03:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/02/06 03:00:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2010/02/05 16:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At65.job
[2010/02/05 16:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/02/05 16:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/02/05 15:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At64.job
[2010/02/05 15:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/02/05 15:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/02/04 13:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At62.job
[2010/02/04 13:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/02/04 13:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/02/04 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At50.job
[2010/02/04 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/02/04 01:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/02/04 00:35:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At49.job
[2010/02/04 00:34:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/02/04 00:28:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/02/02 23:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At72.job
[2010/02/02 23:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/02/02 23:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/02/02 20:44:05 | 000,234,496 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/30 17:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At66.job
[2010/01/30 17:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/01/30 17:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/01/28 17:51:12 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\Low Carb Recipes.doc
[2010/01/26 20:31:47 | 000,851,974 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\tweet.jpg
[2010/01/25 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At51.job
[2010/01/25 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/01/25 02:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2010/01/22 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At58.job
[2010/01/22 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/01/22 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/01/21 14:04:59 | 000,857,530 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\social.jpg
[2010/01/19 23:55:13 | 001,039,894 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\tag.jpg
[2010/01/19 10:01:32 | 000,853,830 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\day5.jpg
[2010/01/18 21:21:39 | 000,857,526 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\2.jpg
[2010/01/18 15:05:25 | 000,850,134 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\1.jpg
[2010/01/18 10:30:45 | 000,835,306 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\day4.jpg
[2010/01/17 19:43:17 | 000,000,862 | -H-- | M] () -- C:\IPH.PH
[2010/01/17 18:54:58 | 000,850,138 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\day3.jpg
[2010/01/16 17:39:12 | 000,853,830 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\cause.jpg
[2010/01/16 17:27:19 | 000,065,100 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\day2.jpg
[2010/01/16 17:20:54 | 000,851,982 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\su.jpg
[2010/01/15 18:19:09 | 000,851,982 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\day1.jpg
[2010/01/15 18:16:10 | 000,853,830 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\sub3.jpg
[2010/01/15 18:12:11 | 000,851,982 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\sub2.jpg
[2010/01/15 18:04:24 | 000,853,830 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\sub1.jpg
[2010/01/15 17:59:01 | 000,853,826 | ---- | M] () -- C:\Documents and Settings\Justin\Desktop\sub.jpg
[2010/01/15 09:37:23 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/15 09:34:16 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/01/12 09:53:58 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/09 14:28:25 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/09 14:28:20 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/09 14:27:23 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/09 14:27:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/09 14:27:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/09 14:27:23 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/09 14:27:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/09 14:22:51 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\HijackThis.msi
[2010/02/09 14:08:51 | 003,852,756 | R--- | C] () -- C:\Documents and Settings\Justin\Desktop\commy.exe
[2010/02/09 13:05:13 | 000,000,645 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Cleaner 2010.lnk
[2010/02/09 11:08:56 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\housecall.guid.cache
[2010/01/26 20:31:46 | 000,851,974 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\tweet.jpg
[2010/01/24 21:44:58 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\Low Carb Recipes.doc
[2010/01/21 14:04:58 | 000,857,530 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\social.jpg
[2010/01/19 23:55:12 | 001,039,894 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\tag.jpg
[2010/01/19 10:01:31 | 000,853,830 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\day5.jpg
[2010/01/18 21:21:38 | 000,857,526 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\2.jpg
[2010/01/18 15:05:25 | 000,850,134 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\1.jpg
[2010/01/18 10:30:44 | 000,835,306 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\day4.jpg
[2010/01/17 18:54:57 | 000,850,138 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\day3.jpg
[2010/01/16 17:35:05 | 000,853,830 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\cause.jpg
[2010/01/16 17:27:18 | 000,065,100 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\day2.jpg
[2010/01/16 17:20:54 | 000,851,982 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\su.jpg
[2010/01/15 18:19:08 | 000,851,982 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\day1.jpg
[2010/01/15 18:16:09 | 000,853,830 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\sub3.jpg
[2010/01/15 18:12:10 | 000,851,982 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\sub2.jpg
[2010/01/15 18:04:23 | 000,853,830 | ---- | C] () -- C:\Documents and Settings\Justin\Desktop\sub1.jpg
[2010/01/15 09:37:23 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/01/15 09:34:16 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2008/10/13 17:40:50 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/05/24 14:19:28 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/14 17:36:28 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Justin\Application Data\$_hpcst$.hpc
[2006/11/14 21:44:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/11 16:08:36 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/07 22:30:05 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/07 22:22:15 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/11/07 22:22:15 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2006/11/07 22:22:15 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/11/07 22:22:15 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\libfaac.dll
[2006/11/07 22:22:13 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2006/11/07 00:14:00 | 000,234,496 | ---- | C] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/05/15 21:27:54 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2001/08/23 07:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
< End of report >



OTL Extras logfile created on: 2/9/2010 2:38:50 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Justin\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.00 Mb Total Physical Memory | 219.00 Mb Available Physical Memory | 49.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 45.11 Gb Free Space | 80.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEVIL
Current User Name: Justin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BearShare\BearShare.exe" = C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare -- (Free Peers, Inc.)
"C:\Program Files\BearFlix\bearflix.exe" = C:\Program Files\BearFlix\bearflix.exe:*:Enabled:BearFlix -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Disabled:AOL Instant Messenger -- File not found
"C:\Program Files\Azureus\Azureus.exe" = C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus -- File not found
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe" = C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AIM7\aim.exe" = C:\Program Files\AIM7\aim.exe:*:Enabled:AIM -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{22466889-7642-488d-AA0E-F619704CF7AB}" = DeviceDiscovery
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{81E76DE9-BBCB-449C-91BB-6E4E5436D496}" = Adobe Audition 1.0
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{911A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}" = HP Update
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ACA85783-8EEA-4f0a-B2A3-A8173F30209F}" = C4200_doccd
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B09BCBF6-87EE-4403-A336-3A9510856535}" = HP Photosmart All-In-One Software 9.0
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{BFDE4176-5DFE-4db9-AA00-8F30CB001BDA}" = c4200_Help
"{C39E671D-0528-4c5e-A034-8470C5BC393A}" = C4200
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D8B7A682-20DA-4797-8415-B1FB14D4D32B}" = PS_AIO_Software
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{FD7F242B-9AA0-40c3-941E-3A9821D19C09}" = PS_AIO_ProductContext
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AviSynth" = AviSynth 2.5
"Broadcom 802.11b Network Adapter" = HP WLAN 54g W450 Network Adapter
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Guitar Pro 5_is1" = Guitar Pro 5.1
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.41 Full
"LG USB Drivers" = LG USB Drivers
"Mozilla Firefox (3.0.17)" = Mozilla Firefox (3.0.17)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Photo Viewer" = Photo Viewer 2.3
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"The Cleaner_is1" = The Cleaner 2010
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/15/2010 10:07:10 AM | Computer Name = DEVIL | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.2627.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/9/2010 3:08:16 PM | Computer Name = DEVIL | Source = DCOM | ID = 10010
Description = The server {C6DA6324-D5EE-4DCB-9D07-789669BB0A11} did not register
with DCOM within the required timeout.

Error - 2/9/2010 3:22:17 PM | Computer Name = DEVIL | Source = DCOM | ID = 10010
Description = The server {C6DA6324-D5EE-4DCB-9D07-789669BB0A11} did not register
with DCOM within the required timeout.

Error - 2/9/2010 3:25:58 PM | Computer Name = DEVIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2/9/2010 3:26:04 PM | Computer Name = DEVIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 2/9/2010 3:26:43 PM | Computer Name = DEVIL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK7 Avg7Core Avg7RsW Avg7RsXP AvgClean Fips

Error - 2/9/2010 3:36:54 PM | Computer Name = DEVIL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 2/9/2010 3:38:46 PM | Computer Name = DEVIL | Source = Service Control Manager | ID = 7000
Description = The AVG7 Alert Manager Server service failed to start due to the following
error: %%2

Error - 2/9/2010 3:38:46 PM | Computer Name = DEVIL | Source = Service Control Manager | ID = 7000
Description = The AVG7 Update Service service failed to start due to the following
error: %%2

Error - 2/9/2010 3:38:46 PM | Computer Name = DEVIL | Source = Service Control Manager | ID = 7000
Description = The AVG Network Redirector service failed to start due to the following
error: %%2

Error - 2/9/2010 3:38:50 PM | Computer Name = DEVIL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avg7Core Avg7RsW Avg7RsXP AvgClean


< End of report >

taxirayray
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-02-09
Gender Gender : Female
OS OS : Windows XP
Points Points : 24988
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by Belahzur on 10th February 2010, 12:24 am

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    PRC - [2010/02/08 19:17:08 | 000,458,496 | ---- | M] () -- C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - No CLSID value found.
    O4 - HKCU..\Run: [fvilrcst] C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe ()
    O4 - HKLM..\Run: [fvilrcst] C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe ()
    [2010/02/08 20:28:17 | 046,664,160 | ---- | C] (PC Tools ) -- C:\Documents and Settings\Justin\My Documents\avinstall.exe
    [2010/02/08 19:17:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Justin\Local Settings\Application Data\dxgoar

    :files
    C:\WINDOWS\tasks\At*.job

    :commands
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by taxirayray on 10th February 2010, 12:51 am

From messing around and doing a few different things I read in various posts about the same virus I managed to get Malwarebytes to run in Safe Mode so I could install it. I scanned my computer and it found the infected files and quarantined them and removed them. I have read through other posts though that some people have done this and found the virus is still there. Should I proceed with the directions you gave me or is there a simpler way since I can download and run anything for the time being?

taxirayray
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-02-09
Gender Gender : Female
OS OS : Windows XP
Points Points : 24988
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by Belahzur on 10th February 2010, 7:08 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by taxirayray on 10th February 2010, 8:56 pm

ComboFix 10-02-10.01 - Justin 02/10/2010 15:34:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.103 [GMT -5:00]
Running from: c:\documents and settings\Justin\Desktop\Combo-Fix.exe
AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Justin\Local Settings\Application Data\cownsa
c:\documents and settings\Justin\Local Settings\Application Data\cownsa\vrrxsysguard.exe
c:\documents and settings\Justin\Local Settings\Application Data\dxgoar
c:\documents and settings\Justin\Local Settings\Application Data\dxgoar\bsfmsftav.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-09 22:50 . 2010-02-09 22:50 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-09 22:50 . 2010-02-09 22:50 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-09 22:40 . 2010-02-09 22:40 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-09 22:40 . 2010-02-09 22:40 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-09 22:37 . 2010-02-10 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-09 22:37 . 2010-02-09 22:37 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-09 22:09 . 2010-02-09 22:09 -------- d-----w- c:\documents and settings\Justin\Application Data\Malwarebytes
2010-02-09 22:05 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 22:05 . 2010-02-09 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 22:05 . 2010-02-09 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 22:05 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 19:27 . 2010-02-09 19:28 -------- d-----w- C:\commy
2010-02-09 18:05 . 2010-02-09 18:05 -------- d-----w- c:\documents and settings\Justin\Application Data\thecleaner
2010-02-09 17:32 . 2010-02-09 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-02-09 01:39 . 2010-02-09 01:39 -------- d-----w- c:\documents and settings\Justin\Application Data\AVG8
2010-02-09 01:39 . 2010-02-09 14:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-09 01:13 . 2010-02-09 01:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-09 00:27 . 2010-02-09 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-18 00:43 . 2010-01-18 00:43 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-01-18 00:42 . 2010-01-18 01:07 -------- d-----w- c:\documents and settings\Justin\Local Settings\Application Data\AIM
2010-01-18 00:42 . 2010-01-18 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-01-15 14:38 . 2010-01-15 14:38 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-15 14:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Justin\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-01-15 14:33 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-01-15 14:33 . 2010-01-15 14:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-15 14:31 . 2010-01-15 14:31 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-15 14:31 . 2010-01-15 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 00:51 . 2007-10-23 23:36 -------- d-----w- c:\program files\AviSynth 2.5
2010-02-09 05:00 . 2006-11-11 20:25 -------- d-----w- c:\program files\Azureus
2010-02-09 01:10 . 2009-04-16 21:07 -------- d-----w- c:\program files\Common Files\AOL
2010-02-09 00:30 . 2009-11-13 16:04 -------- d-----w- c:\program files\Alwil Software
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-01-15 14:37 . 2006-11-08 02:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-30 18:50 . 2007-05-24 19:21 -------- d-----w- c:\documents and settings\Justin\Application Data\Apple Computer
2009-12-27 02:18 . 2009-12-27 02:18 18240 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-27 02:00 . 2009-12-27 01:58 -------- d-----w- c:\program files\iTunes
2009-12-27 01:59 . 2009-12-27 01:59 -------- d-----w- c:\program files\iPod
2009-12-27 01:59 . 2009-01-13 02:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-27 01:57 . 2009-12-27 01:56 -------- d-----w- c:\program files\QuickTime
2009-12-27 01:56 . 2007-05-20 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-02 00:34 . 2010-01-11 02:31 65536 ----a-w- c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\extensions\{336dc353-5272-420c-84e7-ba1f3c9c2aeb}\components\Engine.dll
2009-11-14 13:06 . 2009-11-14 13:06 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-05-16 02:00 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 02:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/16/2009 4:08 PM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\qp9ktyi9.default\extensions\{336dc353-5272-420c-84e7-ba1f3c9c2aeb}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Justin\Application Data\Move Networks\plugins\npqmp071502000008.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVGFRE~1\avgw.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-AVG7_EMC - c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\wcescomm.exe
MSConfigStartUp-qxixjprs - c:\documents and settings\Justin\Local Settings\Application Data\cownsa\vrrxsysguard.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-10 15:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1060284298-839522115-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Param2"=""
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3000)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-10 15:55:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 20:55

Pre-Run: 47,573,233,664 bytes free
Post-Run: 48,380,428,288 bytes free

- - End Of File - - 24B1B09FA0E9CC171441E4E4B84C0F76

taxirayray
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-02-09
Gender Gender : Female
OS OS : Windows XP
Points Points : 24988
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by Belahzur on 11th February 2010, 12:36 am

Hello.

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 9
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2
    Java(TM) 6 Update 5
    Viewpoint Media Player

Do you have Kaspersky installed or AVG?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by taxirayray on 11th February 2010, 2:34 am

I have Kaspersky installed. Other programs keep telling me I have AVG installed but when I go to the add/remove programs I can't find it to get rid of it or figure out where it is.

taxirayray
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-02-09
Gender Gender : Female
OS OS : Windows XP
Points Points : 24988
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Nuqel.E and BankerFox.A

Post by Belahzur on 11th February 2010, 9:08 pm

Completely Uninstall AVG software

Download and run avgremover.exe

For 32-Bit, Download: [You must be registered and logged in to see this link.]

If AVG gone now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum