Fake Windows Security Virus removed, caused more rootkits and problems.

View previous topic View next topic Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 13th April 2010, 4:14 am

Code:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:14 on 12/04/2010 by Spen (Administrator - Elevation successful)

========== dir ==========

C:\Program Files\BitComet - Unable to find folder.

-=End Of File=-

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 13th April 2010, 4:20 am

Please open OTL -- Click None and paste this in the Custom Scans box:
Code:
%PROGRAMFILES%\*.

Then click Run Scan. It shall launch a log. Please post it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 13th April 2010, 5:26 am

Code:

OTL logfile created on: 4/12/2010 10:26:14 PM - Run 2
OTL by OldTimer - Version 3.2.1.0    Folder = C:\Documents and Settings\Spen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 72.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 4.24 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=#E56717]========== Custom Scans ==========[/color]
 
 
[color=#A23BEC]< %PROGRAMFILES%\*. >[/color]
[2010/04/10 22:42:17 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2008/11/03 18:05:00 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/03/23 22:54:54 | 000,000,000 | ---D | M] -- C:\Program Files\ATI
[2010/03/23 22:54:27 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2010/04/06 20:04:00 | 000,000,000 | ---D | M] -- C:\Program Files\Avira
[2010/04/05 08:04:11 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/01/12 23:50:04 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/04/05 23:30:50 | 000,000,000 | ---D | M] -- C:\Program Files\CheckPoint
[2009/07/04 02:33:51 | 000,000,000 | ---D | M] -- C:\Program Files\Comical
[2010/04/11 22:11:45 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/10/29 23:03:58 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2008/10/30 00:06:22 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Lite
[2009/12/21 22:52:59 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/03/31 20:17:38 | 000,000,000 | ---D | M] -- C:\Program Files\dumps
[2010/04/07 19:00:41 | 000,000,000 | ---D | M] -- C:\Program Files\FileASSASSIN
[2010/02/05 23:15:22 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/05/18 13:58:49 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/05/18 13:57:23 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2010/03/14 00:30:50 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/10/29 23:16:10 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/04/08 04:10:20 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2009/07/04 00:20:34 | 000,000,000 | ---D | M] -- C:\Program Files\IObit
[2010/04/05 08:10:14 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/04/10 22:51:53 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2008/10/30 00:09:21 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/05/18 14:18:08 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2009/12/25 22:09:38 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\MagicISO
[2010/04/07 12:46:27 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/10 22:51:55 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/06 12:56:41 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/12/10 21:27:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/04/08 12:16:59 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/02 17:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/04/10 22:42:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox 3.5 Beta 4
[2009/12/08 00:43:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2008/10/29 22:57:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/10/29 22:57:45 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/01/13 10:26:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/12/08 00:40:12 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2008/11/05 19:23:05 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2010/04/08 12:14:43 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/10/29 23:31:59 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/05/18 14:18:07 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/04/08 12:39:01 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/11/27 01:37:29 | 000,000,000 | ---D | M] -- C:\Program Files\PartyGaming
[2010/03/14 02:33:36 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStars
[2009/06/16 02:36:28 | 000,000,000 | ---D | M] -- C:\Program Files\Postal2STP
[2009/11/27 01:37:27 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 v1.5
[2010/04/11 03:53:34 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2008/10/29 23:20:35 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek
[2008/10/30 00:09:49 | 000,000,000 | ---D | M] -- C:\Program Files\RealVNC
[2009/12/08 00:43:42 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/04/07 02:08:55 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/01 00:39:52 | 000,000,000 | ---D | M] -- C:\Program Files\StarCraft II Beta
[2010/04/01 15:40:44 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2010/04/07 02:05:18 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2008/10/29 23:12:25 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/04/08 12:34:15 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2008/10/30 20:32:28 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2008/12/03 23:28:18 | 000,000,000 | ---D | M] -- C:\Program Files\VIDEOzilla
[2009/07/23 13:54:13 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/04/05 23:36:27 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Remote
[2009/07/23 13:52:58 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Toolbar
[2010/04/07 23:33:32 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2009/11/06 12:55:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/11/06 12:56:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2008/10/29 23:08:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/04/08 12:14:39 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/10/29 23:03:18 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Plus
[2008/10/29 23:07:13 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/10/30 00:29:36 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/04/10 01:50:53 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2008/10/29 23:08:42 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/04/05 23:21:46 | 000,000,000 | ---D | M] -- C:\Program Files\Zone Labs
< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 13th April 2010, 5:32 am

Open OTL. Click on Quick Scan, then post a log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 13th April 2010, 5:48 am

OTL logfile created on: 4/12/2010 10:45:08 PM - Run 3
OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Spen\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 4.23 Gb Free Space | 1.82% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALEX-ROOM
Current User Name: Spen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
PRC - [2010/04/02 17:05:39 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2008/04/13 17:12:40 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wpabaln.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/16 15:36:32 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 09:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Disabled | Stopped] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "[You must be registered and logged in to see this link.]
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 08:08:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/10 22:46:18 | 000,000,000 | ---D | M]

[2009/03/28 14:09:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Extensions
[2010/04/11 23:39:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\extensions
[2010/04/09 08:56:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/06 23:35:52 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Profiles\a0hc1fm0.default\searchplugins\bing.xml
[2010/04/11 23:39:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/01/22 23:20:30 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll

O1 HOSTS File: ([2010/04/11 22:14:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\ComDlls\TDAtOnce_Now.dll (Thunder Networking Technologies,LTD)
O2 - BHO: (Winamp Toolbar Loader) - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Winamp Toolbar) - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O3 - HKCU\..\Toolbar\WebBrowser: (Winamp Toolbar) - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll (AOL LLC.)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: 使用迅雷下载 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\geturl.htm ()
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Documents and Settings\Spen\Desktop\thunder\Thunder\Program\getAllurl.htm ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.59.144.18 64.59.144.19
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Spen\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/29 23:08:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/12 21:11:54 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Spen\PrivacIE
[2010/04/12 21:10:55 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/04/11 22:12:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/10 23:43:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\Pure.Pwnage.TV.S01E05.HDTV.XviD-aAF - [ [You must be registered and logged in to see this link.] ]
[2010/04/10 01:49:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\My Documents\StarCraft II Beta
[2010/04/08 21:08:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\666
[2010/04/08 18:09:51 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
[2010/04/08 12:23:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/04/08 12:22:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/04/08 12:17:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/04/08 12:17:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/04/08 12:16:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/04/08 12:07:52 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/04/08 04:10:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Spen\IETldCache
[2010/04/08 04:08:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/04/08 04:05:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Pavark
[2010/04/08 04:05:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/04/08 03:07:06 | 000,000,000 | ---D | C] -- C:\b9366766186a5e08fc2c
[2010/04/07 23:23:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2010/04/07 20:26:45 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/07 20:25:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/07 20:25:10 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/07 20:25:10 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/07 20:25:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/07 20:24:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/07 20:22:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/07 19:00:40 | 000,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2010/04/07 13:52:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Desktop\SmitfraudFix
[2010/04/07 12:46:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/07 12:46:20 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/07 12:46:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/07 06:00:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/07 06:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/07 02:18:41 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Spen\Recent
[2010/04/07 02:07:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/07 02:05:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/06 21:14:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/06 20:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/06 20:25:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/04/06 20:22:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\Avira
[2010/04/06 20:04:02 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/04/06 20:04:01 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/04/06 20:04:01 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/04/06 20:04:01 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/04/06 20:04:01 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/04/06 20:04:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/04/05 23:43:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/05 23:31:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\My Documents\ForceField Shared Files
[2010/04/05 23:31:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Spen\Application Data\CheckPoint
[2010/04/05 23:30:50 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/04/05 23:30:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2010/04/05 23:21:46 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/04/05 23:21:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/04/05 08:10:14 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/05 08:10:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/05 08:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/05 08:04:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/31 20:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\dumps
[2010/03/29 19:36:32 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/12/10 21:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2009/05/13 00:30:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/05/08 03:56:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/11/10 19:48:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/29 23:11:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/10/29 23:11:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/12 22:23:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/12 18:48:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/12 14:23:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/12 12:35:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/04/12 12:02:42 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/11 23:42:41 | 008,650,752 | -H-- | M] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2010/04/11 22:14:47 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/11 22:14:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/11 22:14:31 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/11 22:14:06 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/11 22:14:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/11 22:13:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Spen\ntuser.ini
[2010/04/11 22:13:03 | 006,442,408 | -H-- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\IconCache.db
[2010/04/11 21:22:41 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\SystemLook.exe
[2010/04/11 19:42:23 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/10 23:49:49 | 000,203,264 | ---- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/10 22:46:18 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/09 21:28:22 | 000,000,744 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\commy.exe.lnk
[2010/04/09 07:46:47 | 000,518,514 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/09 07:46:47 | 000,454,170 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/09 07:46:47 | 000,074,628 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/09 07:44:47 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/08 18:24:32 | 000,181,642 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\OTL.doc
[2010/04/08 18:09:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Spen\Desktop\OTL.exe
[2010/04/08 12:45:25 | 000,117,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/08 12:34:15 | 000,000,673 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 12:26:59 | 000,018,640 | ---- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/08 12:24:11 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/04/08 12:12:26 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/04/08 02:00:22 | 000,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 00:39:48 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100408-021417.backup
[2010/04/07 23:28:54 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 21:32:39 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/07 20:26:54 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/04/07 12:46:26 | 000,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/06 19:52:17 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/06 00:16:43 | 000,201,728 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/06 00:03:12 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/05 23:31:36 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:30:47 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:07:41 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100407-021746.backup
[2010/04/05 08:08:28 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/11 21:22:41 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\SystemLook.exe
[2010/04/10 22:46:18 | 000,001,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/09 21:28:22 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\commy.exe.lnk
[2010/04/08 18:24:32 | 000,181,642 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\OTL.doc
[2010/04/08 12:34:15 | 000,000,673 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\礣orrent.lnk
[2010/04/08 12:29:15 | 000,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2010/04/08 02:00:22 | 000,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documents\khq
[2010/04/08 02:00:10 | 000,734,581 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\rydxuu.exe
[2010/04/07 23:28:54 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/04/07 23:28:52 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
[2010/04/07 23:22:33 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/04/07 23:20:27 | 000,000,974 | ---- | C] () -- C:\WINDOWS\System32\pid.inf
[2010/04/07 23:17:44 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2010/04/07 23:17:43 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2010/04/07 23:17:43 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2010/04/07 22:14:05 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
[2010/04/07 22:14:04 | 000,007,882 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
[2010/04/07 20:26:53 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/04/07 20:26:48 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/07 20:25:10 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/07 20:25:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/07 20:25:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/07 20:25:10 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/07 20:25:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/07 12:46:26 | 000,000,757 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Pokemon Gold.lnk
[2010/04/07 02:42:50 | 000,000,090 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/04/07 02:07:40 | 000,000,992 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\Spybot - Search & Destroy.lnk
[2010/04/07 02:05:18 | 000,001,783 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\HijackThis.lnk
[2010/04/06 19:52:17 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/06 00:03:12 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\Spen\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/05 23:52:20 | 000,201,728 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll
[2010/04/05 23:39:03 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
[2010/04/05 23:30:47 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/04/05 23:30:38 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/04/05 23:08:05 | 000,012,848 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
[2010/04/05 08:10:34 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/05 08:08:28 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/12/12 21:34:43 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\fusioncache.dat
[2009/05/31 15:49:48 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\EGameEncrypt.dll
[2009/05/18 13:56:09 | 000,000,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/04/11 12:15:27 | 000,000,146 | ---- | C] () -- C:\Documents and Settings\Spen\default.pls
[2009/03/28 17:06:14 | 000,203,264 | ---- | C] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/28 15:31:22 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/03/28 15:31:09 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/03/28 15:31:09 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/28 15:31:09 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/28 15:31:01 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/03/28 15:31:01 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/28 14:07:50 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Spen\ntuser.dat.LOG
[2009/03/28 14:07:50 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Spen\ntuser.ini
[2009/03/28 14:07:49 | 008,650,752 | -H-- | C] () -- C:\Documents and Settings\Spen\NTUSER.DAT
[2009/02/15 07:43:11 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2008/12/03 23:28:15 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vzcontextmenu.dll
[2008/12/03 23:28:13 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\DetectDxQT.dll
[2008/11/05 19:36:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/11/01 16:57:24 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2009/12/08 09:09:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/10 23:47:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OrbNetworks
[2009/07/04 02:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2008/12/03 23:28:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\shctxex.vb
[2009/12/18 02:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thunder Network
[2009/12/18 02:21:17 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\thunder_vod_cache
[2010/04/05 08:10:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/19 09:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/16 19:00:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/13 14:38:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Braid
[2010/04/05 23:31:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\CheckPoint
[2009/03/31 15:04:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\DAEMON Tools
[2009/05/24 00:33:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\EVEMon
[2009/06/27 20:24:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\IObit
[2010/01/04 19:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\LimeWire
[2009/05/18 14:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\OpenOffice.org
[2009/03/31 15:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\SPORE
[2010/04/11 23:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\uTorrent
[2009/12/10 21:30:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Windows Desktop Search
[2009/12/10 22:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Spen\Application Data\Windows Search

========== Purity Check ==========


< End of report >

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 13th April 2010, 6:11 am

Please run OTL
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    :otl
    O2 - BHO: (no name) - {889D2FEB-5411-4565-8998-1DD2C5261283} - No CLSID value found.
    O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    [2010/04/08 03:07:06 | 000,000,000 | ---D | C] -- C:\b9366766186a5e08fc2c
    [2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c
    [2010/04/07 22:19:22 | 000,007,882 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\bQT88M2c
    [2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB
    [2010/04/06 00:18:30 | 000,012,848 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\GbW53PfLB
    [2010/04/06 00:16:43 | 000,201,728 | -HS- | M] () -- C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll

    :commands
    [emptytemp]
    [reboot]


  • Then click the Run Fix button at the top.
  • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
    Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 13th April 2010, 6:50 am

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.
File C:\Program Files\PartyGaming\PartyPoker\RunApp.exe not found.
C:\b9366766186a5e08fc2c\i386 folder moved successfully.
C:\b9366766186a5e08fc2c\amd64 folder moved successfully.
C:\b9366766186a5e08fc2c folder moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\bQT88M2c moved successfully.
C:\Documents and Settings\All Users\Application Data\bQT88M2c moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\GbW53PfLB moved successfully.
C:\Documents and Settings\All Users\Application Data\GbW53PfLB moved successfully.
C:\Documents and Settings\Spen\Local Settings\Application Data\2269221376.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 160065 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43258504 bytes
->Flash cache emptied: 405 bytes

User: Alex
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 157915 bytes
->Java cache emptied: 11377128 bytes
->Flash cache emptied: 14674 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 4288 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 39 bytes
->Flash cache emptied: 1489 bytes

User: Spen
->Temp folder emptied: 11904 bytes
->Temporary Internet Files folder emptied: 3731832 bytes
->Java cache emptied: 1243 bytes
->FireFox cache emptied: 69254972 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2739 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1925431 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 112350 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 124.00 mb


OTL by OldTimer - Version 3.2.1.0 log created on 04122010_234740

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 13th April 2010, 7:16 am

Please download [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 13th April 2010, 7:43 am

Code:
Cheetah-Anti-Rogue v1.4.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 04/13/2010 - Time:  0:43:02 - Arch.: x86
 
 
-- Malware removal tools check --
CCleaner
Trend Micro HijackThis 2.0.2
Malwarebytes' Anti-Malware
 
 
-- Known infection --
 
 
 
Extra message: Detection only.
 
 
EOF


Nothing showing in known infections, that a good sign?

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 13th April 2010, 4:08 pm

Let's see this one check..

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 14th April 2010, 4:41 am

Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/04/13 21:32
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6A50000   Size: 49152   File Visible: No   Signed: -
Status: -

==EOF==

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 14th April 2010, 3:21 pm

Didn't display much.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 14th April 2010, 5:30 pm

Nope. How is your computer running? Any other popups?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 15th April 2010, 12:40 am

It's running really smooth after those first few scans and deletions we did, and now I think it's back up to speed.
If those scans aren't finding anything I'm thinking we did it. Smile
Thanks so much Jay, I think it's safe for me to set up my Windows 7 now.

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 15th April 2010, 1:30 am

Let's clean up.

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Let me know when that is done. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by jogna on 15th April 2010, 5:33 am

All done! Man you really have helped me tremendously.
I don't even know what to say.
Thank You!

jogna
Novice
Novice

Posts Posts : 25
Joined Joined : 2010-04-08
OS OS : XP
Points Points : 24818
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Fake Windows Security Virus removed, caused more rootkits and problems.

Post by Dr Jay on 15th April 2010, 1:25 pm

You're welcome.

Happy Safe Surfing!


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum