win32/Nuqel.E Virus

View previous topic View next topic Go down

win32/Nuqel.E Virus

Post by dantana0531 on 7th March 2010, 9:05 pm

I cant get online with my computor to try to do any of these things can you help me PLEASE?

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 7th March 2010, 9:05 pm

Hello.
Try this.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 7th March 2010, 9:45 pm

OTL logfile created on: 3/7/2010 3:35:59 PM - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Dana\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 89.89 Gb Free Space | 60.34% Space Free | Partition Type: NTFS
Drive D: | 33.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MOTHER
Current User Name: Dana
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/07 15:34:57 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dana\Desktop\OTL.exe
PRC - [2010/01/18 14:14:26 | 001,286,608 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsTray.exe
PRC - [2010/01/18 14:14:24 | 001,141,712 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe
PRC - [2009/12/09 15:23:34 | 000,365,280 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe
PRC - [2009/11/10 10:28:08 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/05/14 11:59:31 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/08/28 09:18:24 | 003,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
PRC - [2008/05/29 20:58:58 | 001,241,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.bin
PRC - [2008/05/29 20:58:58 | 001,019,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.exe
PRC - [2008/04/12 16:23:11 | 000,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2007/12/17 10:13:18 | 000,523,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe
PRC - [2007/12/17 10:12:58 | 000,243,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Family Safety\fssui.exe
PRC - [2007/12/10 14:35:52 | 000,323,216 | ---- | M] (Napster) -- C:\Program Files\Napster\napster.exe
PRC - [2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 10:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\PixArt\PAC207\Monitor.exe
PRC - [2006/04/06 09:00:00 | 000,122,880 | ---- | M] (WinZip Computing LP) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2005/08/11 16:30:30 | 000,081,920 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005/07/20 18:56:06 | 000,339,968 | ---- | M] (Sonix) -- C:\WINDOWS\vphc700.exe
PRC - [2005/07/15 14:38:33 | 000,139,264 | R--- | M] () -- C:\Program Files\MioNet\MioNetManager.exe
PRC - [2005/07/12 19:04:04 | 000,278,528 | ---- | M] () -- C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe
PRC - [2004/10/14 19:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/06/03 22:09:14 | 000,045,161 | ---- | M] () -- C:\Program Files\MioNet\jvm\bin\MioNet.exe
PRC - [2004/02/13 10:47:02 | 000,155,648 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe
PRC - [2002/11/14 19:41:26 | 000,116,336 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
PRC - [2002/08/19 22:22:38 | 000,050,880 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2002/08/14 06:03:00 | 000,135,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
PRC - [2002/08/08 22:40:02 | 000,308,936 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


========== Modules (SafeList) ==========

MOD - [2010/03/07 15:34:57 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dana\Desktop\OTL.exe
MOD - [2009/10/30 11:18:16 | 000,147,024 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\PCTGMhk.dll
MOD - [2006/08/25 09:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/18 14:14:24 | 001,141,712 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/12/09 15:23:34 | 000,365,280 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/11/10 10:28:08 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2007/12/17 10:13:18 | 000,523,816 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2007/10/25 14:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 10:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2005/07/15 14:38:33 | 000,139,264 | R--- | M] () [Auto | Running] -- C:\Program Files\MioNet\MioNetManager.exe -- (MioNet)
SRV - [2005/04/05 10:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2004/02/13 10:47:02 | 000,155,648 | ---- | M] (Dell Inc) [Auto | Running] -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap)
SRV - [2002/11/14 19:41:26 | 000,116,336 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2002/08/19 22:23:32 | 000,063,176 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2002/08/14 06:03:00 | 000,135,168 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE -- (NProtectService)
SRV - [2002/08/08 22:40:02 | 000,308,936 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2001/08/13 23:18:36 | 000,054,408 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\script Blocking\SBServ.exe -- (SBService)


========== Driver Services (SafeList) ==========

DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2008/09/05 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2007/10/17 12:53:16 | 000,043,816 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr.sys -- (fssfltr)
DRV - [2007/06/20 03:00:00 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/06/20 03:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/01/31 03:00:00 | 000,852,600 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070328.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2007/01/31 03:00:00 | 000,080,472 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070328.019\NAVENG.SYS -- (NAVENG)
DRV - [2006/11/20 07:48:40 | 000,506,112 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2006/09/15 21:52:12 | 000,124,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/06/07 13:21:18 | 000,541,568 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\phc700.sys -- (phc700) USB PC Camera (phc700)
DRV - [2005/06/01 03:08:00 | 001,198,080 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/04/05 10:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 10:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/01 16:52:46 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/12/06 01:05:00 | 000,100,603 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 01:05:00 | 000,098,714 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 01:05:00 | 000,086,586 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 01:05:00 | 000,034,843 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 01:05:00 | 000,025,883 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 01:05:00 | 000,015,227 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 01:05:00 | 000,006,363 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 01:05:00 | 000,004,123 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 01:05:00 | 000,002,239 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 03:22:00 | 000,087,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 02:56:00 | 000,040,480 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 23:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/03 23:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 11:29:04 | 000,005,627 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 11:28:50 | 000,023,545 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/02/13 10:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/09/18 12:47:56 | 000,035,552 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SAVRTPEL.SYS -- (SAVRTPEL)
DRV - [2003/09/18 12:47:48 | 000,235,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SAVRT.SYS -- (SAVRT)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/08/14 06:03:00 | 000,034,578 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NPDRIVER.SYS -- (NPDriver)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2000/01/25 12:30:00 | 000,073,216 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
DRV - [2000/01/17 05:00:40 | 000,023,040 | R--- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\aksusb.sys -- (aksusb)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = [You must be registered and logged in to see this link.]
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-stage6&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.13966
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.3
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-stage6&p="
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7171
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/16 19:44:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/05/14 12:00:32 | 000,000,000 | ---D | M]

[2008/11/17 13:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dana\Application Data\Mozilla\Extensions
[2009/12/07 17:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dana\Application Data\Mozilla\Firefox\Profiles\t9im1auc.default\extensions
[2009/12/07 16:57:11 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Dana\Application Data\Mozilla\Firefox\Profiles\t9im1auc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/12/07 17:00:12 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Dana\Application Data\Mozilla\Firefox\Profiles\t9im1auc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}-trash
[2008/02/12 22:19:54 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Dana\Application Data\Mozilla\Firefox\Profiles\t9im1auc.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/07 17:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dana\Application Data\Mozilla\Firefox\Profiles\t9im1auc.default\extensions\Staged-xpis
[2010/03/07 13:39:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/07 17:47:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2007/12/19 06:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
[2007/12/10 14:35:52 | 000,106,128 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npstrlnk.dll
[2007/11/20 16:52:00 | 002,884,992 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2007/10/12 11:29:57 | 000,190,678 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 6761 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Windows Live OneCare Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL (Symantec Corporation)
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found.
O2 - BHO: (655708 Class) - {EA73037A-F182-44A0-BC0B-690D71231330} - C:\WINDOWS\system32\sysloc\sysloc.dll ()
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL (Symantec Corporation)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Advanced Tools Check] C:\Program Files\Norton AntiVirus\AdvTools\AdvChk.exe (Symantec Corporation)
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe (Symantec Corporation)
O4 - HKLM..\Run: [fssui] C:\Program Files\Windows Live\Family Safety\fssui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe File not found
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [LexPPS.exe] C:\WINDOWS\System32\lexpps.exe File not found
O4 - HKLM..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe (Napster)
O4 - HKLM..\Run: [phc700] C:\WINDOWS\vphc700.exe (Sonix)
O4 - HKLM..\Run: [scjbfbcz] C:\WINDOWS\System32\njzgsdho.exe File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe File not found
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\Program Files\SymNetDrv\SNDMon.exe (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [My Web Search Community Tools] C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe File not found
O4 - HKCU..\Run: [Veoh] C:\Program Files\Veoh Networks\Veoh\VeohClient.exe (Veoh Networks)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TrayMin700.exe.lnk = C:\Program Files\Philips\SPC 700NC PC Camera\TrayMin700.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing LP)
O4 - Startup: C:\Documents and Settings\Dana\Start Menu\Programs\Startup\StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: //@mail.mar@/ ([]msn in Local intranet)
O15 - HKCU\..Trusted Domains: //@signup.mar@/ ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.105.28.17 68.105.29.17
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Dana\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dana\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/07 15:34:56 | 000,553,984 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dana\Desktop\OTL.exe
[2010/03/07 14:57:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dana\Local Settings\Application Data\Threat Expert
[2010/03/07 14:22:53 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll0339.old
[2010/03/07 14:22:53 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/03/07 14:22:52 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll0339.old
[2010/03/07 14:22:52 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/03/07 14:22:52 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/03/07 14:22:20 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/03/07 14:22:17 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/03/07 14:22:17 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/03/07 14:22:10 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/03/07 14:21:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/03/07 14:21:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dana\Application Data\PC Tools
[2010/03/07 14:21:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/03/07 13:38:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/08/03 08:21:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/14 12:15:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/05/14 11:58:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/09/29 08:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/05/15 16:03:41 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/03/28 19:36:36 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/03/18 22:21:53 | 000,061,440 | ---- | C] ( ) -- C:\WINDOWS\System32\cphc700.dll
[2007/03/01 07:04:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/07 15:37:00 | 000,000,436 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{82F72DA8-E6FF-42CB-BB39-99586FF9AE48}.job
[2010/03/07 15:34:57 | 000,553,984 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dana\Desktop\OTL.exe
[2010/03/07 15:11:01 | 000,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/03/07 14:35:24 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/03/07 14:27:13 | 000,000,410 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2010/03/07 14:26:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/07 14:25:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/07 14:25:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/07 14:25:03 | 2145,529,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/07 14:24:18 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Dana\NTUSER.DAT
[2010/03/07 14:24:18 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Dana\ntuser.ini
[2010/03/07 11:44:02 | 000,000,076 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
[2010/03/07 11:37:01 | 000,445,228 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/07 11:37:01 | 000,384,890 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/07 11:37:01 | 000,054,590 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/07 11:34:49 | 000,219,440 | ---- | M] () -- C:\Documents and Settings\Dana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/05 20:00:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
[2010/03/05 15:00:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan.job
[2010/03/04 08:44:46 | 000,000,848 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/02/25 03:02:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/20 13:23:46 | 000,751,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/07 14:35:24 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/03/07 14:25:03 | 2145,529,856 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/07 14:22:53 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll0339.old
[2010/03/07 14:22:53 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/03/07 14:22:53 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/03/07 14:22:53 | 000,000,880 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/03/07 14:22:52 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/03/07 14:22:52 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/03/07 14:22:20 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/03/07 14:22:17 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/03/07 14:22:17 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/03/07 14:22:10 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2009/10/06 10:08:00 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/04/29 12:20:59 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/09 09:29:40 | 000,000,316 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2008/05/15 15:49:58 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Dana\Local Settings\Application Data\fusioncache.dat
[2008/03/18 22:22:45 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2008/03/18 22:21:53 | 000,541,568 | ---- | C] () -- C:\WINDOWS\System32\drivers\phc700.sys
[2008/03/18 22:21:53 | 000,015,488 | ---- | C] () -- C:\WINDOWS\phc700.ini
[2007/01/10 12:37:21 | 000,000,076 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/12/27 10:55:08 | 000,000,083 | ---- | C] () -- C:\WINDOWS\gbsaver.ini
[2006/11/02 08:27:46 | 000,000,518 | ---- | C] () -- C:\WINDOWS\System32\SP207.ini
[2006/06/08 08:54:05 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\Dana\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/29 12:00:56 | 000,000,848 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/03/29 11:49:59 | 000,000,642 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/03/29 10:55:25 | 000,002,777 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/03/20 15:57:46 | 000,017,696 | R--- | C] () -- C:\WINDOWS\System32\SCALE16.DLL
[2006/03/20 15:57:46 | 000,014,880 | R--- | C] () -- C:\WINDOWS\System32\SCREEN16.DLL
[2006/03/20 15:57:46 | 000,003,616 | R--- | C] () -- C:\WINDOWS\System32\ENCUI.DLL
[2006/03/20 15:57:45 | 000,169,424 | R--- | C] () -- C:\WINDOWS\System32\NOVACUT.DRV
[2006/03/20 15:57:45 | 000,021,920 | R--- | C] () -- C:\WINDOWS\System32\COLOR16.DLL
[2006/03/20 15:04:52 | 000,073,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\SENTINEL.SYS
[2006/03/20 15:04:52 | 000,047,616 | ---- | C] () -- C:\WINDOWS\System32\SNTI386.DLL
[2006/03/20 15:04:52 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\RNBOVDD.DLL
[2006/01/27 11:59:16 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/19 23:10:31 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/19 23:08:50 | 000,000,299 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/01/19 22:48:46 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/09 16:49:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 158 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA5F15C4
< End of report >

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 7th March 2010, 9:46 pm

OTL Extras logfile created on: 3/7/2010 3:36:00 PM - Run 1
OTL by OldTimer - Version 3.1.34.0 Folder = C:\Documents and Settings\Dana\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 89.89 Gb Free Space | 60.34% Space Free | Partition Type: NTFS
Drive D: | 33.30 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MOTHER
Current User Name: Dana
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1700:TCP" = 1700:TCP:*:Enabled:MioNet Remote Drive Access
"1641:TCP" = 1641:TCP:*:Enabled:MioNet Remote Drive Verification
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"80:TCP" = 80:TCP:*:Enabled:SYSDLL
"7171:TCP" = 7171:TCP:*:Enabled:SYSDLL

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- File not found
"C:\Program Files\inKline Global\PureRadio\PureRadio.exe" = C:\Program Files\inKline Global\PureRadio\PureRadio.exe:*:Enabled:PureRadio -- File not found
"C:\Program Files\SecondLife\SecondLife.exe" = C:\Program Files\SecondLife\SecondLife.exe:*:Enabled:Second Life -- (Linden Lab)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\1172499812\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1172499812\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- File not found
"C:\Program Files\SecondLife\SLVoice.exe" = C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice -- ()
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" = C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client -- (Veoh Networks)
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech Inc.)
"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\WINDOWS\system32\LEXPPS.EXE" = C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1C81EE56-C48F-1765-A77E-C64D6780BC17}" = MyFonts Order M788398
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{269A4095-DB55-4D35-8FD0-39957D26BEEC}" = Philips VLounge
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN
"{32F66A20-7614-11D4-BD11-00104BD3F987}" = MathPlayer
"{3403CB31-D7C1-43F4-9D2F-579758C0CF09}" = Windows Live OneCare Family Safety
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35AD8A37-8ECE-4E97-A34E-B15BFEF0E2F2}" = Basic Webcam
"{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}" = Norton Security Scan
"{3D15064D-4371-4FCC-B9E6-F79D6CBFDDD4}" = StarOffice 8 Product Update 11
"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{65248369-7CB9-43A9-82C8-C438AE04DED4}" = 1500
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}" = OMCI
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{81E06318-EEB9-4D55-8CD5-7AC9148D5E66}" = 1500_Help
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9176251A-4CC1-4DDB-B343-B487195EB397}" = Windows Live Writer
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C70BF2F2-2B54-4303-ABE6-82A20038A2EA}" = Philips SPC 700NC PC Camera
"{C94E45B0-6AA6-4FB9-9AAE-22085F631880}" = VBA
"{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBA30674-A242-4531-82B5-586B31F90E04}" = 1500Trb
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{D61524CF-93FE-4193-91AD-C6E21FEEAA5A}" = Logitech Harmony Remote Software 7
"{D6BBC858-B557-458C-BB0C-A5AB39C2B780}" = StarOffice 8
"{DF157E38-A290-4265-844B-687E5707899E}" = WebCam Suite 2.0
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F4C9398F-B6C6-4A4B-8B6D-795CD86F915D}" = Norton AntiVirus 2003 Professional Edition
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Tools" = Advanced Tools
"ATI Display Driver" = ATI Display Driver
"Browser Defender_is1" = Browser Defender 2.0.6.11
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"InstallShield_{35AD8A37-8ECE-4E97-A34E-B15BFEF0E2F2}" = Basic Webcam
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MioNet" = MioNet
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PConPoint_is1" = PConPoint v3.5
"Picasa2" = Picasa 2
"Rainbow Sentinel Driver" = Sentinel System Driver
"RealPlayer 6.0" = RealPlayer
"SecondLife" = SecondLife (remove only)
"SIPPS!UninstallKey" = SIPPS
"Spyware Doctor" = Spyware Doctor 7.0
"STANDARDR" = Microsoft Office Standard 2007
"ViewpointMediaPlayer" = Viewpoint Media Player
"Weather Services" = Weather Services
"WIC" = Windows Imaging Component
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/21/2010 1:14:36 PM | Computer Name = MOTHER | Source = Application Error | ID = 1000
Description = Faulting application wmiprvse.exe, version 5.1.2600.3520, faulting
module unknown, version 0.0.0.0, fault address 0x0108e970.

Error - 3/1/2010 12:09:16 PM | Computer Name = MOTHER | Source = Application Error | ID = 1000
Description = Faulting application pctsAuxs.exe, version 6.1.0.12, faulting module
pctsAuxs.exe, version 6.1.0.12, fault address 0x0003aeab.

Error - 3/7/2010 12:44:07 PM | Computer Name = MOTHER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2010 12:44:08 PM | Computer Name = MOTHER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2010 12:44:09 PM | Computer Name = MOTHER | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2010 1:33:24 PM | Computer Name = MOTHER | Source = Application Error | ID = 1004
Description = Faulting application wmiprvse.exe, version 5.1.2600.3520, faulting
module unknown, version 0.0.0.0, fault address 0x0108e970.

Error - 3/7/2010 1:34:27 PM | Computer Name = MOTHER | Source = Application Error | ID = 1004
Description = Faulting application pctsAuxs.exe, version 6.1.0.12, faulting module
pctsAuxs.exe, version 6.1.0.12, fault address 0x0003aeab.

Error - 3/7/2010 1:35:29 PM | Computer Name = MOTHER | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.2180, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2010 1:46:57 PM | Computer Name = MOTHER | Source = Application Error | ID = 1000
Description = Faulting application pctsSvc.exe, version 6.1.0.55, faulting module
rtl100.bpl, version 11.0.2902.10471, fault address 0x0000776d.

[ OSession Events ]
Error - 9/29/2008 9:44:53 AM | Computer Name = MOTHER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 423607
seconds with 2760 seconds of active time. This session ended with a crash.

Error - 10/1/2009 11:39:20 AM | Computer Name = MOTHER | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 89494
seconds with 840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 3/7/2010 4:23:19 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 3/7/2010 4:23:19 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/7/2010 4:23:19 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Spyware Doctor\SDContextExt32.dll.
Reference
error message: The operation completed successfully. .

Error - 3/7/2010 4:24:16 PM | Computer Name = MOTHER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/7/2010 4:25:51 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 3/7/2010 4:25:51 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/7/2010 4:25:51 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Spyware Doctor\SDContextExt32.dll.
Reference
error message: The operation completed successfully. .

Error - 3/7/2010 4:34:46 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 3/7/2010 4:34:46 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 3/7/2010 4:34:46 PM | Computer Name = MOTHER | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Spyware Doctor\SDContextExt32.dll.
Reference
error message: The operation completed successfully. .


< End of report >

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 7th March 2010, 10:56 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=localhost:7171
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
    FF - prefs.js..network.proxy.http: "localhost"
    FF - prefs.js..network.proxy.http_port: 7171
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
    O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found.
    O2 - BHO: (655708 Class) - {EA73037A-F182-44A0-BC0B-690D71231330} - C:\WINDOWS\system32\sysloc\sysloc.dll ()
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O4 - HKLM..\Run: [phc700] C:\WINDOWS\vphc700.exe (Sonix)
    O4 - HKLM..\Run: [scjbfbcz] C:\WINDOWS\System32\njzgsdho.exe File not found
    O4 - HKCU..\Run: [] File not found
    O4 - HKCU..\Run: [My Web Search Community Tools] C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe File not found

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "80:TCP"=-
    "7171:TCP"=-


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 7th March 2010, 11:03 pm

========== OTL ==========
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchMigratedDefaultName| /E : value set successfully!
Prefs.js: "localhost" removed from network.proxy.http
Prefs.js: 7171 removed from network.proxy.http_port
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA73037A-F182-44A0-BC0B-690D71231330}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EA73037A-F182-44A0-BC0B-690D71231330}\ not found.
File C:\WINDOWS\system32\sysloc\sysloc.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\phc700 not found.
File C:\WINDOWS\vphc700.exe not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\scjbfbcz not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\My Web Search Community Tools not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\80:TCP not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\7171:TCP not found.

OTL by OldTimer - Version 3.1.34.0 log created on 03072010_170051

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 7th March 2010, 11:14 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 1:27 am

I have done this 3 times and its not going all the way to any text box it seems to freeze up at the end? not sure what to do.

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 1:14 pm

ComboFix 10-03-07.02 - Dana 03/07/2010 19:45:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1428 [GMT -6:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Beach Master\Local Settings\Application Data\qddqfa
c:\documents and settings\Beach Master\Local Settings\Application Data\qddqfa\ummcsftav.exe
c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000013.DB-
c:\recycler\NPROTECT\00000014.DAT
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000018
c:\recycler\NPROTECT\00000020
c:\recycler\NPROTECT\00000021.DAT
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023
c:\recycler\NPROTECT\00000024.DAT
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036
c:\recycler\NPROTECT\00000037.dat
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000039
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000043
c:\recycler\NPROTECT\00000045
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000049
c:\recycler\NPROTECT\00000051
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000057
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000061
c:\recycler\NPROTECT\00000063
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000073
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000076
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000079
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000085
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000090
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000104.dat
c:\recycler\NPROTECT\00000105.dat
c:\recycler\NPROTECT\00000106
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108
c:\recycler\NPROTECT\00000109
c:\recycler\NPROTECT\00000110
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000116.dat
c:\recycler\NPROTECT\00000118
c:\recycler\NPROTECT\00000119.bat
c:\recycler\NPROTECT\00000120
c:\recycler\NPROTECT\00000121
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000127
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000133
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000139
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000157
c:\recycler\NPROTECT\00000160
c:\recycler\NPROTECT\00000161
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000163
c:\recycler\NPROTECT\00000164.dat
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169
c:\recycler\NPROTECT\00000170.bad
c:\recycler\NPROTECT\00000171
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000182.md5
c:\recycler\NPROTECT\00000189
c:\recycler\NPROTECT\00000190
C:\SYSDLL.bat
c:\windows\9g2234wesdf3dfgjf23
c:\windows\f23567.dat
c:\windows\freddy46.exe
c:\windows\msmark2.dat
c:\windows\mstre19.exe
c:\windows\pp10.exe
c:\windows\ro122366.dat
c:\windows\ro122390.dat
c:\windows\run_1244482009.exe
c:\windows\run_1244488310.exe
c:\windows\run_1244499043.exe
c:\windows\run_1244500439.exe
c:\windows\run_1244505527.exe
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\sysloc
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 23:00 . 2010-03-07 23:00 -------- d-----w- C:\_OTL
2010-03-07 22:32 . 2010-03-07 22:32 -------- d-----w- c:\documents and settings\Beach Master\Local Settings\Application Data\Threat Expert
2010-03-07 20:57 . 2010-03-07 20:57 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\Threat Expert
2010-03-06 15:59 . 2010-03-06 15:59 -------- d-----w- c:\documents and settings\Beach Master\Local Settings\Application Data\cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 12:40 . 2008-02-13 09:10 -------- d-----w- c:\documents and settings\Dana\Application Data\Skype
2010-03-08 12:38 . 2009-06-08 17:35 -------- d-----w- c:\documents and settings\Dana\Application Data\StarOffice8
2010-03-08 12:37 . 2006-03-30 16:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-08 01:24 . 2008-02-13 03:49 -------- d-----w- c:\program files\Spyware Doctor
2010-03-08 01:23 . 2008-02-13 03:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-07 19:39 . 2008-02-13 04:17 -------- d-----w- c:\program files\DivX
2010-03-07 19:39 . 2006-12-27 16:55 -------- d-----w- c:\program files\Lavasoft
2010-03-07 19:37 . 2009-08-14 18:56 -------- d-----w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker
2010-03-07 19:37 . 2007-01-10 18:37 -------- d-----w- c:\program files\Quicken
2010-03-07 19:36 . 2007-10-12 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 19:36 . 2007-10-12 15:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 17:49 . 2009-05-20 17:58 -------- d-----w- c:\program files\PokerStars
2010-03-07 17:34 . 2006-03-20 20:25 219440 ----a-w- c:\documents and settings\Dana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 14:44 . 2006-03-29 18:00 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-20 19:20 . 2008-07-30 01:11 219440 ----a-w- c:\documents and settings\Beach Master\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 09:03 . 2007-06-05 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-20 14:02 . 2008-08-13 13:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:14 . 2006-01-20 04:48 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:53 . 2004-08-10 18:51 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-04 04:59 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-03-30 16:24 . 2006-03-30 16:24 32 --sha-w- c:\windows\{2C2A965E-1855-43EE-A397-D73454170914}.dat
2006-03-30 16:24 . 2006-03-30 16:24 32 --sha-w- c:\windows\system32\{96C37846-0610-462D-8D96-EC0F059F1E89}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]
"Advanced Tools Check"="c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-27 79480]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-04-03 100056]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-12-10 323216]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-17 282624]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-14 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-14 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\Dana\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2007-8-17 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-4-12 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TrayMin700.exe.lnk - c:\program files\Philips\SPC 700NC PC Camera\TrayMin700.exe [2008-3-18 278528]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [5/15/2008 3:52 PM 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 10:13 AM 523816]
R2 MioNet;MioNet Service;c:\program files\MioNet\MioNetManager.exe [7/15/2005 2:38 PM 139264]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [3/30/2006 10:23 AM 135168]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 7:48 AM 506112]
S3 phc700;USB PC Camera (phc700);c:\windows\system32\drivers\phc700.sys [3/18/2008 10:21 PM 541568]
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-03-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 01:31]

2010-03-05 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-19 05:42]

2010-03-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-03-30 15:04]

2010-03-08 c:\windows\Tasks\User_Feed_Synchronization-{82F72DA8-E6FF-42CB-BB39-99586FF9AE48}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultUrl = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
HKLM-Run-LexPPS.exe - c:\windows\system32\lexpps.exe
AddRemove-{342C7C88-D335-4bc2-8CF1-281857629CE2} - c:\program files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-08 06:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4140633030-3341314632-3632176343-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Sun\StarOffice 8\program\soffice.exe
c:\program files\Sun\StarOffice 8\program\soffice.BIN
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2010-03-08 06:46:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 12:46

Pre-Run: 98,219,827,200 bytes free
Post-Run: 101,745,086,464 bytes free

- - End Of File - - E2AAD46F8F17D61D97D593FEE2707ACD

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 8th March 2010, 4:54 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyServer = http=localhost:7171
    uInternet Settings,ProxyOverride = *.local;

    Regostry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
    "SearchMigratedDefaultUrl"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 6:52 pm

ComboFix 10-03-07.02 - Dana 03/08/2010 12:27:31.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1570 [GMT -6:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT\00000000.DAT
c:\recycler\NPROTECT\00000001.DAT
c:\recycler\NPROTECT\00000002
c:\recycler\NPROTECT\00000003
c:\recycler\NPROTECT\00000004
c:\recycler\NPROTECT\00000005
c:\recycler\NPROTECT\00000007
c:\recycler\NPROTECT\00000009
c:\recycler\NPROTECT\00000010
c:\recycler\NPROTECT\00000013.DAT
c:\recycler\NPROTECT\00000014
c:\recycler\NPROTECT\00000015
c:\recycler\NPROTECT\00000016
c:\recycler\NPROTECT\00000017
c:\recycler\NPROTECT\00000019
c:\recycler\NPROTECT\00000020.DAT
c:\recycler\NPROTECT\00000021
c:\recycler\NPROTECT\00000022
c:\recycler\NPROTECT\00000023.DAT
c:\recycler\NPROTECT\00000024
c:\recycler\NPROTECT\00000025
c:\recycler\NPROTECT\00000026
c:\recycler\NPROTECT\00000027
c:\recycler\NPROTECT\00000028
c:\recycler\NPROTECT\00000029
c:\recycler\NPROTECT\00000030
c:\recycler\NPROTECT\00000031
c:\recycler\NPROTECT\00000032
c:\recycler\NPROTECT\00000033
c:\recycler\NPROTECT\00000034
c:\recycler\NPROTECT\00000035
c:\recycler\NPROTECT\00000036.dat
c:\recycler\NPROTECT\00000037
c:\recycler\NPROTECT\00000038
c:\recycler\NPROTECT\00000041
c:\recycler\NPROTECT\00000042
c:\recycler\NPROTECT\00000044
c:\recycler\NPROTECT\00000046
c:\recycler\NPROTECT\00000047
c:\recycler\NPROTECT\00000048
c:\recycler\NPROTECT\00000050
c:\recycler\NPROTECT\00000052
c:\recycler\NPROTECT\00000053
c:\recycler\NPROTECT\00000054
c:\recycler\NPROTECT\00000055
c:\recycler\NPROTECT\00000058
c:\recycler\NPROTECT\00000059
c:\recycler\NPROTECT\00000060
c:\recycler\NPROTECT\00000062
c:\recycler\NPROTECT\00000064
c:\recycler\NPROTECT\00000065
c:\recycler\NPROTECT\00000066
c:\recycler\NPROTECT\00000067
c:\recycler\NPROTECT\00000068
c:\recycler\NPROTECT\00000069
c:\recycler\NPROTECT\00000070
c:\recycler\NPROTECT\00000071
c:\recycler\NPROTECT\00000072
c:\recycler\NPROTECT\00000074
c:\recycler\NPROTECT\00000075
c:\recycler\NPROTECT\00000077
c:\recycler\NPROTECT\00000078
c:\recycler\NPROTECT\00000080
c:\recycler\NPROTECT\00000081
c:\recycler\NPROTECT\00000082
c:\recycler\NPROTECT\00000083
c:\recycler\NPROTECT\00000084
c:\recycler\NPROTECT\00000086
c:\recycler\NPROTECT\00000087
c:\recycler\NPROTECT\00000088
c:\recycler\NPROTECT\00000089
c:\recycler\NPROTECT\00000091
c:\recycler\NPROTECT\00000092
c:\recycler\NPROTECT\00000093
c:\recycler\NPROTECT\00000094
c:\recycler\NPROTECT\00000095
c:\recycler\NPROTECT\00000096
c:\recycler\NPROTECT\00000097
c:\recycler\NPROTECT\00000098
c:\recycler\NPROTECT\00000099
c:\recycler\NPROTECT\00000100
c:\recycler\NPROTECT\00000101
c:\recycler\NPROTECT\00000102
c:\recycler\NPROTECT\00000103
c:\recycler\NPROTECT\00000107
c:\recycler\NPROTECT\00000108.dat
c:\recycler\NPROTECT\00000109.dat
c:\recycler\NPROTECT\00000111
c:\recycler\NPROTECT\00000112
c:\recycler\NPROTECT\00000113
c:\recycler\NPROTECT\00000114
c:\recycler\NPROTECT\00000115
c:\recycler\NPROTECT\00000116
c:\recycler\NPROTECT\00000117
c:\recycler\NPROTECT\00000119
c:\recycler\NPROTECT\00000121.dat
c:\recycler\NPROTECT\00000123
c:\recycler\NPROTECT\00000124.bat
c:\recycler\NPROTECT\00000125
c:\recycler\NPROTECT\00000126
c:\recycler\NPROTECT\00000128
c:\recycler\NPROTECT\00000130
c:\recycler\NPROTECT\00000131
c:\recycler\NPROTECT\00000132
c:\recycler\NPROTECT\00000135
c:\recycler\NPROTECT\00000136
c:\recycler\NPROTECT\00000137
c:\recycler\NPROTECT\00000138
c:\recycler\NPROTECT\00000140
c:\recycler\NPROTECT\00000141
c:\recycler\NPROTECT\00000142
c:\recycler\NPROTECT\00000143
c:\recycler\NPROTECT\00000144
c:\recycler\NPROTECT\00000145
c:\recycler\NPROTECT\00000146
c:\recycler\NPROTECT\00000147
c:\recycler\NPROTECT\00000148
c:\recycler\NPROTECT\00000149
c:\recycler\NPROTECT\00000150
c:\recycler\NPROTECT\00000151
c:\recycler\NPROTECT\00000152
c:\recycler\NPROTECT\00000153
c:\recycler\NPROTECT\00000154
c:\recycler\NPROTECT\00000155
c:\recycler\NPROTECT\00000156
c:\recycler\NPROTECT\00000158
c:\recycler\NPROTECT\00000159
c:\recycler\NPROTECT\00000162
c:\recycler\NPROTECT\00000165
c:\recycler\NPROTECT\00000166
c:\recycler\NPROTECT\00000167
c:\recycler\NPROTECT\00000168
c:\recycler\NPROTECT\00000169.dat
c:\recycler\NPROTECT\00000170
c:\recycler\NPROTECT\00000171.bad
c:\recycler\NPROTECT\00000172
c:\recycler\NPROTECT\00000173
c:\recycler\NPROTECT\00000174
c:\recycler\NPROTECT\00000175
c:\recycler\NPROTECT\00000176
c:\recycler\NPROTECT\00000182.DB~
c:\recycler\NPROTECT\00000183.md5
c:\recycler\NPROTECT\00000190
c:\recycler\NPROTECT\00000191
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 23:00 . 2010-03-07 23:00 -------- d-----w- C:\_OTL
2010-03-07 22:32 . 2010-03-07 22:32 -------- d-----w- c:\documents and settings\Beach Master\Local Settings\Application Data\Threat Expert
2010-03-07 20:57 . 2010-03-07 20:57 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\Threat Expert
2010-03-06 15:59 . 2010-03-06 15:59 -------- d-----w- c:\documents and settings\Beach Master\Local Settings\Application Data\cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-08 18:36 . 2009-06-08 17:35 -------- d-----w- c:\documents and settings\Dana\Application Data\StarOffice8
2010-03-08 18:34 . 2006-03-30 16:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-08 18:18 . 2008-02-13 09:10 -------- d-----w- c:\documents and settings\Dana\Application Data\Skype
2010-03-08 01:31 . 2010-03-07 23:34 79488 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-08 01:24 . 2008-02-13 03:49 -------- d-----w- c:\program files\Spyware Doctor
2010-03-08 01:23 . 2008-02-13 03:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-07 19:39 . 2008-02-13 04:17 -------- d-----w- c:\program files\DivX
2010-03-07 19:39 . 2006-12-27 16:55 -------- d-----w- c:\program files\Lavasoft
2010-03-07 19:37 . 2009-08-14 18:56 -------- d-----w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker
2010-03-07 19:37 . 2007-01-10 18:37 -------- d-----w- c:\program files\Quicken
2010-03-07 19:36 . 2007-10-12 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 19:36 . 2007-10-12 15:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 17:49 . 2009-05-20 17:58 -------- d-----w- c:\program files\PokerStars
2010-03-07 17:40 . 2010-03-07 17:40 439816 ----a-w- c:\documents and settings\Dana\Application Data\Real\Update\setup3.10\setup.exe
2010-03-07 17:34 . 2006-03-20 20:25 219440 ----a-w- c:\documents and settings\Dana\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 23:51 . 2009-08-14 18:56 184320 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\updater.exe
2010-03-04 23:51 . 2009-08-14 18:56 901120 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\QtNetwork4.dll
2010-03-04 23:51 . 2009-08-14 18:56 7188480 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\FullTiltPoker.exe
2010-03-04 14:44 . 2006-03-29 18:00 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-20 19:20 . 2008-07-30 01:11 219440 ----a-w- c:\documents and settings\Beach Master\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-16 16:18 . 2009-08-14 18:56 200704 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\ssleay32.dll
2010-02-16 16:18 . 2009-08-14 18:56 9437184 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\QtWebKit4.dll
2010-02-16 16:18 . 2009-08-14 18:56 2015232 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\QtCore4.dll
2010-02-16 16:18 . 2009-08-14 18:56 1028096 ----a-w- c:\documents and settings\Beach Master\Application Data\Full Tilt Poker\libeay32.dll
2010-02-10 09:03 . 2007-06-05 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-20 14:02 . 2008-08-13 13:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:14 . 2006-01-20 04:48 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 12:58 . 2004-08-10 19:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:53 . 2004-08-10 18:51 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2006-03-30 16:24 . 2006-03-30 16:24 32 --sha-w- c:\windows\{2C2A965E-1855-43EE-A397-D73454170914}.dat
2006-03-30 16:24 . 2006-03-30 16:24 32 --sha-w- c:\windows\system32\{96C37846-0610-462D-8D96-EC0F059F1E89}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-02 24264488]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-01 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]
"Advanced Tools Check"="c:\progra~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-27 79480]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2006-04-03 100056]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-12-10 323216]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-17 282624]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-14 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-14 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\Dana\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2007-8-17 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-4-12 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TrayMin700.exe.lnk - c:\program files\Philips\SPC 700NC PC Camera\TrayMin700.exe [2008-3-18 278528]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-3-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [5/15/2008 3:52 PM 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 10:13 AM 523816]
R2 MioNet;MioNet Service;c:\program files\MioNet\MioNetManager.exe [7/15/2005 2:38 PM 139264]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [3/30/2006 10:23 AM 135168]
S3 PAC207;Basic Webcam;c:\windows\system32\drivers\PFC027.SYS [11/20/2006 7:48 AM 506112]
S3 phc700;USB PC Camera (phc700);c:\windows\system32\drivers\phc700.sys [3/18/2008 10:21 PM 541568]
.
Contents of the 'Scheduled Tasks' folder

2010-03-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-03-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-20 01:31]

2010-03-05 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-19 05:42]

2010-03-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-03-30 15:04]

2010-03-08 c:\windows\Tasks\User_Feed_Synchronization-{82F72DA8-E6FF-42CB-BB39-99586FF9AE48}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultUrl = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-08 12:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4140633030-3341314632-3632176343-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3724)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Sun\StarOffice 8\program\soffice.exe
c:\program files\Sun\StarOffice 8\program\soffice.BIN
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2010-03-08 12:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 18:42
ComboFix2.txt 2010-03-08 12:46

Pre-Run: 101,657,784,320 bytes free
Post-Run: 101,728,845,824 bytes free

- - End Of File - - DE408D526A64678B6C94DA0C15C4F6C1

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 8th March 2010, 7:01 pm

Whoops, spelling mistake and the script didn't work.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
    "SearchMigratedDefaultUrl"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 7:04 pm

========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchMigratedDefaultUrl deleted successfully.

OTM by OldTimer - Version 3.1.10.0 log created on 03082010_130229

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 8th March 2010, 7:22 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 7:48 pm

i dont seem to be getting the pop ups but i still cant get on internet i am the administrator and i have one other beach master and that is my business one the administrator goes on line but the beach master dosnt

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 8th March 2010, 7:52 pm

Hello.

Please check that the proxy was fully removed, this infection sets a proxy and there *was* a proxy present which should now be gone, but maybe not.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by dantana0531 on 8th March 2010, 11:36 pm

I did that and it was checked so i unchecked it and all is awesome... now what should i have on my computor to secure it and keep that from happening again. and thank you so much.... i am going to leave a donation but im also a graphic artist and if there is anything i can do for you please let me know. Smile

dantana0531
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2010-03-07
OS OS : windows XP
Points Points : 25629
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/Nuqel.E Virus

Post by Belahzur on 9th March 2010, 3:22 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum