XP Antivirus Removal AGAIN!

View previous topic View next topic Go down

XP Antivirus Removal AGAIN!

Post by SlayBeau on 12th March 2010, 7:28 pm

I have been plagued by this gods be-damned thing. I have read through a number of advisories on removing this and ran across this post here on GeekPolice just 10 days ago:

[You must be registered and logged in to see this link.]

I am in the same situation, exactly it seems, as Carol. I have downloaded Malwarebytes. I have downloaded SREng. I cannot get either to run as I get the same message she did, i.e.

"This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel."

At which point Belahzur suggested SREng. She could not run it, then posted:

"Oh hang on... I just right clicked the file and selected "start". It is now running"

I, however, CANNOT get there. Right clicking does not give me a simple "start" option, so I seem to be stuck.

Prior to finding this site, and prior to this blight freezing my .exe files, I ran Symantec Corporate 10.1.5 (updated definitions this morning) and SuperAntiSpyware, both of which revealed an AR.exe trojan (presumably this thing). SAS finished and deleted it, prompting a restart; Symantec froze as usual (it get it through my university...). Stupid me removed Malwarebytes a few months ago because I never used it.

So that's what I've done and where I'm at. How do I run either Malware or SREng if neither finds the association files?

FYI, I have a small, slow linux netbook, too, if that aids matters.

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 13th March 2010, 12:31 am

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 2:45 am

Writing from my laptop, so forgive any copy errors.

Tried to download and install OTL as suggested. A box popped up with the following message:

_____________
Windows cannot open this file.

File: OTL.exe

To open this file Windows needs to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list of programs on your computer.

What do you want to do?
_____________


when I choose manual, of course I get a list of programs. When I choose auto, Firefox opens a window and tells me that MS doesn't recognize the file type. Obviously I'm missing something simple. But I'm stumped. Can I manually get into the registry to fix this?

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 3:03 am

OK, let me ask this, as I have somebody else who dealt with this at her office assisting.

Having gotten into regedit, I have been advised to find HKEY_CLASSES_ROOT where I am told to find the subfolder .exe, then check on ITS subfolder PersistentHandler, and then in the righthand window there should be a file/entry called (Default). I am to double click this and check the value data, which is supposed to be .exe

OK, that's the advice. I go to HKEY_CLASSES_ROOT but do *not* have a subfolder ".exe", only a subfolder ".ex_" Is this the same thing. The value data is decidedly NOT ".exe" but a seemingly random string of characters within a pair of {}. I do not dare change this to .exe without knowing if this is the right subfolder.

Am I even on the right track?

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 13th March 2010, 1:15 pm

Hello.

Yes, this infection changes the file association on .exe, but I don't advise doing it manually, messing with the registry is dangerous!

Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Will IceSword open?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 3:50 pm

No. It's the same message:

_______
Windows cannot open this file.

File: IceSword.exe

To open this file Windows needs to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list of programs on your computer.

What do you want to do?
_____________

Is there a way to change it to a .bat file? Would that even work?

(I said .bat, I meant .com)

I DID get IceSword to open! On a lark, I also tried OTL again and it's running too. I will post the logs when complete.


Last edited by SlayBeau on 13th March 2010, 5:02 pm; edited 2 times in total (Reason for editing : New information)

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 5:15 pm

OK, here we go. Part 1 of 2

OTL Extras logfile created on: 3/13/2010 12:01:45 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Aaron\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 215.00 Mb Available Physical Memory | 21.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 161.15 Gb Free Space | 54.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 237.73 Mb Total Space | 217.87 Mb Free Space | 91.64% Space Free | Partition Type: FAT

Computer Name: MY-D62DABDC4934
Current User Name: Aaron
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire 4.12.6 -- (Lime Wire, LLC)
"C:\Program Files\Symantec AntiVirus\VPC32.exe" = C:\Program Files\Symantec AntiVirus\VPC32.exe:*:Enabled:Symantec AntiVirus Corporate Edition 10.1.4 -- (Symantec Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\system32\a.exe" = C:\WINDOWS\system32\a.exe:*:Disabled:a -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\Aaron\Desktop\utorrent.exe" = C:\Documents and Settings\Aaron\Desktop\utorrent.exe:*:Enabled:µTorrent -- File not found
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{3248F0A8-6813-11D6-A77B-00B0D0150080}" = J2SE Runtime Environment 5.0 Update 8
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DE0053C-FD9A-483E-B7C9-B06E4392206E}" = iTunes
"{43983EB4-43DC-4C3D-9712-1EF592A31CA8}" = OpenOffice.org 2.1
"{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}" = Apple Mobile Device Support
"{4E475FD4-4513-4B1D-8DDA-43912B068C99}" = HTML Slideshow Powertoy for Windows XP
"{663E217E-FC26-4249-9E8E-F190CD63E737}" = TaxCut Premium + State 2007
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F34A21F-2DEB-4598-BB19-611D6BD24271}" = Managed DirectX (0900)
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{8689A5F3-BEEC-407D-A6EB-B79F636229A3}" = Media Center Alarm Clock
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A5EBB62-ADE7-41E2-8884-1517DE3505D1}" = DeductionPro 2007
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BC4AE628-81A4-4FC6-863A-7A9BA2E2531F}" = Nokia Connectivity Cable Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}" = Linksys Wireless-G USB Network Adapter
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{F8E8BF1C-5AE4-4B36-8ACC-6DF7ED2D409F}" = TaxCut Pennsylvania 2007
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.3 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DVD Shrink_is1" = DVD Shrink 3.2
"EAX Unified" = EAX Unified
"ENTERPRISE" = Microsoft Office Enterprise 2007
"exPressit S.E. 3.0" = exPressit S.E. 3.0
"FairUse Wizard 2" = FairUse Wizard 2
"FileZilla Server" = FileZilla Server (remove only)
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InfraRecorder" = InfraRecorder
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.5.3 (Full)
"LastFM_is1" = Last.fm 1.5.4.24567
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Office8.0" = Microsoft Office 97, Professional Edition
"PCI Audio Driver" = PCI Audio Driver
"Pdf995" = Pdf995 (installed by TaxCut)
"PdfEdit995" = PdfEdit995 (installed by TaxCut)
"PennyHorse" = PennyHorse
"QuickTime32" = QuickTime for Windows (32-bit)
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.85
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"TaxCut Premium 2006" = TaxCut Premium 2006
"ViewpointMediaPlayer" = Viewpoint Media Player
"WavePad" = WavePad Uninstall
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/12/2010 12:49:46 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.FakeAV in File: c:\documents and
settings\aaron\local settings\application data\av.exe by: Manual scan. Action:
Clean failed : Quarantine failed. Action Description: Risk was partially removed.



Error - 3/12/2010 12:57:28 PM | Computer Name = MY-D62DABDC4934 | Source = Application Error | ID = 1000
Description = Faulting application av.exe, version 0.0.0.0, faulting module av.exe,
version 0.0.0.0, fault address 0x001153a9.

Error - 3/12/2010 1:07:31 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan.FakeAV in File: c:\documents and
settings\aaron\local settings\application data\av.exe by: Startup scan. Action:
Clean failed : Quarantine failed. Action Description: The file was left unchanged.



Error - 3/12/2010 1:07:37 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.FakeAV in File: c:\documents and
settings\aaron\local settings\application data\av.exe by: Startup scan. Action:
Clean failed : Quarantine failed. Action Description: Risk was partially removed.



Error - 3/12/2010 1:14:31 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan.FakeAV in File: c:\documents and
settings\aaron\local settings\application data\av.exe by: Manual scan. Action:
Clean failed : Quarantine failed. Action Description: The file was left unchanged.



Error - 3/12/2010 1:14:37 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.FakeAV in File: c:\documents and
settings\aaron\local settings\application data\av.exe by: Manual scan. Action:
Clean failed : Quarantine failed. Action Description: Risk was partially removed.



Error - 3/12/2010 2:04:50 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan Horse in File: C:\Documents and Settings\Slay
Belle\Shared\anime weiss kreuz bangbros.wma by: Manual scan. Action: Clean failed
: Quarantine failed. Action Description: The file was left unchanged.

Error - 3/12/2010 2:04:53 PM | Computer Name = MY-D62DABDC4934 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan Horse in File: C:\Documents and Settings\Slay
Belle\Shared\anime weiss kreuz bangbros.wma by: Manual scan. Action: Quarantine
succeeded. Action Description: The file was quarantined successfully.

Error - 3/12/2010 3:09:21 PM | Computer Name = MY-D62DABDC4934 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/12/2010 3:09:21 PM | Computer Name = MY-D62DABDC4934 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.


========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 5:15 pm

And part 2 of 2

OTL logfile created on: 3/13/2010 12:01:45 PM - Run 1
OTL by OldTimer - Version 3.1.37.0 Folder = C:\Documents and Settings\Aaron\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 215.00 Mb Available Physical Memory | 21.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 161.15 Gb Free Space | 54.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 237.73 Mb Total Space | 217.87 Mb Free Space | 91.64% Space Free | Partition Type: FAT

Computer Name: MY-D62DABDC4934
Current User Name: Aaron
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/13 12:00:45 | 001,709,600 | ---- | M] (Smallfrogs Studio) -- C:\Documents and Settings\Aaron\Desktop\SRE7d469c3d.EXE
PRC - [2010/03/12 21:21:00 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Aaron\Desktop\OTL.exe
PRC - [2010/03/11 15:57:24 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/01/07 16:07:10 | 001,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.com
PRC - [2009/09/15 02:00:50 | 001,830,424 | ---- | M] (Smallfrogs Studio) -- C:\Documents and Settings\Aaron\Desktop\SREngLdr.EXE
PRC - [2008/07/30 03:53:08 | 000,587,776 | ---- | M] (FileZilla Project) -- C:\Program Files\FileZilla Server\FileZilla server.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/09/27 19:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 19:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 18:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 18:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/04/11 16:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2005/08/02 20:41:38 | 005,255,680 | ---- | M] (Linksys) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
PRC - [2005/07/04 19:46:04 | 000,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe


========== Modules (SafeList) ==========

MOD - [2010/03/12 21:21:00 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Aaron\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- -- (WUSB54Gv42SVC)
SRV - [2008/07/30 03:53:08 | 000,587,776 | ---- | M] (FileZilla Project) [Auto | Running] -- C:\Program Files\FileZilla Server\FileZilla server.exe -- (FileZilla Server)
SRV - [2008/06/03 13:28:48 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/09/27 19:33:38 | 000,116,464 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 19:33:32 | 001,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 19:33:22 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/08/25 11:00:38 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 15:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 18:26:12 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 18:26:06 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/04/11 16:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/02/21 14:21:57 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/21 14:21:57 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/21 14:21:57 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/16 04:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100311.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/16 04:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100311.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/01/07 16:07:14 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/09/17 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/09/17 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/05/02 10:58:28 | 000,008,064 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2008/05/02 10:58:14 | 000,020,864 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2008/05/02 10:58:12 | 000,017,536 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/12/19 14:34:26 | 000,021,120 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2006/10/22 15:22:00 | 003,994,624 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/09/18 16:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 13:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 13:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 15:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 15:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 16:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/09/29 23:52:22 | 000,013,056 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/09/29 23:52:20 | 000,034,048 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/04/13 19:31:30 | 000,239,488 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2500usb.sys -- (WUSB54GPV4SRV)
DRV - [2002/11/18 18:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 192.168.2.1:5900

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:0.8.5
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0.0.%(version)s
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: resizeit@sonej:3.6.1
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..network.proxy.ftp: "192.168.2.1"
FF - prefs.js..network.proxy.ftp_port: 5900
FF - prefs.js..network.proxy.gopher: "192.168.2.1"
FF - prefs.js..network.proxy.gopher_port: 5900
FF - prefs.js..network.proxy.http: "192.168.2.1"
FF - prefs.js..network.proxy.http_port: 5900
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "192.168.2.1"
FF - prefs.js..network.proxy.socks_port: 5900
FF - prefs.js..network.proxy.ssl: "192.168.2.1"
FF - prefs.js..network.proxy.ssl_port: 5900


FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/11 15:57:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/11 15:57:36 | 000,000,000 | ---D | M]

[2008/08/28 18:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Extensions
[2010/03/12 16:01:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions
[2009/10/19 08:54:39 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/02/02 17:20:59 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/08/19 18:11:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\{966762eb-7132-4081-ac70-20d20161ad96}
[2010/01/19 15:05:40 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/19 15:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\development@add-art.org
[2010/02/18 08:37:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Aaron\Application Data\Mozilla\Firefox\Profiles\63ezsrvh.default\extensions\resizeit@sonej
[2010/03/12 16:01:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2008/05/07 16:54:07 | 000,000,833 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 60.12.193.37 auto.search.msn.com
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O1 - Hosts: 60.12.193.37 ie.search.msn.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [C-Media Mixer] C:\WINDOWS\mixer.exe (C-Media Electronic Inc. ([You must be registered and logged in to see this link.]
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Aaron\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Aaron\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/11 20:11:43 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\AutoRun\command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\Explore\Command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\Open\Command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\AutoRun\command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\Explore\Command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\Open\Command - "" = AutoRun\AutoStart.exe
O33 - MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\Shell\AutoRun\command - "" = J:\system\viewer\FlipVideoforPC.exe -- File not found
O33 - MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\Shell\Flip Video for PC\command - "" = J:\system\viewer\FlipVideoforPC.exe -- File not found
O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell - "" = AutoRun
O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\1\Command - "" = Recycled.exe
O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\2\Command - "" = Recycled.exe
O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/13 12:01:22 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Aaron\Desktop\OTL.exe
[2010/03/13 12:00:45 | 001,709,600 | ---- | C] (Smallfrogs Studio) -- C:\Documents and Settings\Aaron\Desktop\SRE7d469c3d.EXE
[2010/03/13 10:57:01 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Aaron\Desktop\mbam-setup.com
[2010/03/12 23:42:18 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2010/03/12 23:42:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/03/12 23:41:43 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/03/12 12:06:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Aaron\Recent
[2010/03/11 13:49:38 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2009/08/17 22:08:50 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/17 21:47:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/08/17 20:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/06/02 20:22:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\pdfMachine
[2007/09/18 12:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/02/25 19:29:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\pdf995
[2006/12/11 12:55:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/12/11 12:55:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/13 12:00:45 | 001,709,600 | ---- | M] (Smallfrogs Studio) -- C:\Documents and Settings\Aaron\Desktop\SRE7d469c3d.EXE
[2010/03/13 10:59:18 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\Aaron\NTUSER.DAT
[2010/03/12 21:48:42 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\Aaron\Desktop\taskmgr.bat
[2010/03/12 21:47:49 | 000,000,011 | ---- | M] () -- C:\Documents and Settings\Aaron\Desktop\text3.bat
[2010/03/12 21:31:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/12 21:26:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/12 21:26:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/12 21:24:34 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Aaron\ntuser.ini
[2010/03/12 21:22:22 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Aaron\Desktop\mbam-setup.com
[2010/03/12 21:21:00 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Aaron\Desktop\OTL.exe
[2010/03/12 19:58:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/12 13:46:31 | 000,000,331 | ---- | M] () -- C:\Documents and Settings\Aaron\Desktop\exefig.reg
[2010/03/12 13:20:14 | 000,000,346 | ---- | M] () -- C:\WINDOWS\is-EDH72.lst
[2010/03/12 13:20:13 | 000,696,832 | ---- | M] () -- C:\WINDOWS\is-EDH72.exe
[2010/03/12 13:20:13 | 000,010,498 | ---- | M] () -- C:\WINDOWS\is-EDH72.msg
[2010/03/12 13:14:34 | 000,013,608 | -HS- | M] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\c58EA
[2010/03/12 12:04:33 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/08 17:10:11 | 000,141,115 | ---- | M] () -- C:\Documents and Settings\Aaron\Desktop\CASI.pdf
[2010/02/21 17:34:18 | 000,048,640 | ---- | M] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/17 10:27:41 | 000,082,432 | ---- | M] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/11 17:11:17 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\Aaron\My Documents\Flood training cert.html
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/12 21:46:59 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\Aaron\Desktop\taskmgr.bat
[2010/03/12 21:46:59 | 000,000,011 | ---- | C] () -- C:\Documents and Settings\Aaron\Desktop\text3.bat
[2010/03/12 13:38:19 | 000,000,331 | ---- | C] () -- C:\Documents and Settings\Aaron\Desktop\exefig.reg
[2010/03/12 13:20:14 | 000,000,346 | ---- | C] () -- C:\WINDOWS\is-EDH72.lst
[2010/03/12 13:20:13 | 000,696,832 | ---- | C] () -- C:\WINDOWS\is-EDH72.exe
[2010/03/12 13:20:13 | 000,010,498 | ---- | C] () -- C:\WINDOWS\is-EDH72.msg
[2010/03/12 11:32:25 | 000,013,608 | -HS- | C] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\c58EA
[2010/03/08 17:10:11 | 000,141,115 | ---- | C] () -- C:\Documents and Settings\Aaron\Desktop\CASI.pdf
[2010/02/11 17:11:16 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\Aaron\My Documents\Flood training cert.html
[2009/01/26 16:35:59 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/26 16:35:52 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/26 16:35:52 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/01/26 16:35:51 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/01/26 16:35:49 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/26 16:35:49 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/01/23 10:09:09 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2008/10/23 23:33:17 | 000,126,464 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/04/20 13:23:41 | 000,000,072 | ---- | C] () -- C:\WINDOWS\pennyhorse.ini
[2007/12/11 23:42:02 | 000,005,808 | ---- | C] () -- C:\Program Files\install.log
[2007/10/27 16:52:18 | 000,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/06/27 18:03:13 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\regf8ed5win83.dll
[2007/06/12 15:26:43 | 000,000,306 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2007/05/29 10:57:01 | 000,000,048 | ---- | C] () -- C:\WINDOWS\webica.ini
[2007/04/25 15:19:17 | 000,000,021 | ---- | C] () -- C:\WINDOWS\KA.INI
[2007/03/12 15:47:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\fusioncache.dat
[2007/03/12 15:45:13 | 000,000,183 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/02/25 19:29:05 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2007/02/21 22:34:51 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2007/02/21 22:34:37 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/01/04 14:22:54 | 000,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/29 12:44:00 | 000,048,640 | ---- | C] () -- C:\Documents and Settings\Aaron\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/12/19 14:49:25 | 000,001,024 | ---- | C] () -- C:\Documents and Settings\Aaron\Application Data\WavCodec.wff
[2006/12/18 14:02:50 | 000,003,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/12/17 14:24:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/12/16 13:40:26 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2006/12/16 13:40:13 | 000,001,617 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2006/12/16 13:32:12 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2006/12/11 19:10:32 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2006/12/11 17:22:15 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2006/10/22 15:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 15:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 15:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 15:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 15:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 15:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 15:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1997/07/11 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/07/11 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
< End of report >

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 13th March 2010, 7:27 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O32 - AutoRun File - [2008/11/11 20:11:43 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\AutoRun\command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\Explore\Command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\Shell\Open\Command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\AutoRun\command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\Explore\Command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\Shell\Open\Command - "" = AutoRun\AutoStart.exe
    O33 - MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\Shell\AutoRun\command - "" = J:\system\viewer\FlipVideoforPC.exe -- File not found
    O33 - MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\Shell\Flip Video for PC\command - "" = J:\system\viewer\FlipVideoforPC.exe -- File not found
    O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell - "" = AutoRun
    O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\1\Command - "" = Recycled.exe
    O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\2\Command - "" = Recycled.exe
    O33 - MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\Shell\AutoRun - "" = Auto&Play

    :commands
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 8:33 pm

A note before I paste the log: I ran it, and it did ask for a reboot before giving me a log. So I rebooted as you said. I didn't see a log file so I ran it again and picked "no" on the reboot question and the log popped up. The log:

========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
File C:\AUTOEXEC.BAT not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30e-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{93d6f30f-e95b-11dd-be9e-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ab800f8e-b056-11dd-be8f-0016e6826725}\ not found.
File J:\system\viewer\FlipVideoforPC.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab800f8e-b056-11dd-be8f-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ab800f8e-b056-11dd-be8f-0016e6826725}\ not found.
File J:\system\viewer\FlipVideoforPC.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
File C:\Recycled.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
File C:\Recycled.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c19b3516-86a5-11de-bec0-0016e6826725}\ not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.37.0 log created on 03132010_153145

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 13th March 2010, 8:56 pm

Hello.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    Adobe Reader 9
    Java(TM) 6 Update 15
    J2SE Runtime Environment 5.0 Update 8
    Viewpoint Media Player

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 13th March 2010, 9:16 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3864
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/13/2010 4:15:40 PM
mbam-log-2010-03-13 (16-15-40).txt

Scan type: Quick Scan
Objects scanned: 180070
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 14th March 2010, 1:09 am

Hello.

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by SlayBeau on 15th March 2010, 4:22 am

The machine seems to be running fine. Continued virus scans show clean and the pop ups are long gone. Executable files are now executable and everything seems to be opening and running fine.

Symantec has been uninstalled and I am now running MAB and (right now) SuperAntiSpyware. I know that antivirus programs can conflict with one another, so is there a particular cocktail you suggest. I've read Avast 5 works well with MAB.

Finally, I assume that I can now delete IceSword and don't need SREng.exe. OTL did remove all files associated with that particular fix (i.e. the one that worked).

I cannot thank you enough for your assistance. Your help (and patience) has been incalculable. Though, come pay day, I will try my very best to calculate something to help keep this site going.

SlayBeau
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-03-12
Gender Gender : Male
OS OS : Ubuntu, Windows XP
Points Points : 24783
# Likes # Likes : 0

View user profile

Back to top Go down

Re: XP Antivirus Removal AGAIN!

Post by Belahzur on 15th March 2010, 9:46 pm

Hello.
Yes, you can delete IceSword and SREng.exe.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum