Redirects and several Trojans

View previous topic View next topic Go down

Redirects and several Trojans

Post by Persephone on Mon 12 Jul 2010, 2:45 pm

Hi,
Every time I search for something using Yahoo or Google, my inquiry gets redirected to another site. Also, AVG found and removed multiple Trojans: Cryptic.AKJ, JS/XULCache.A, Generic18.ZLH, Generic18.ACUP, Generic18.ACXW, Generic18.ABDA, Generic18.ABYP

Wondering what I should do now? Thanks for your help.

Here is OTL.txt

OTL logfile created on: 7/11/2010 9:01:37 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Asma\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 65.69 Gb Total Space | 43.26 Gb Free Space | 65.86% Space Free | Partition Type: NTFS
Drive D: | 7.82 Gb Total Space | 0.56 Gb Free Space | 7.13% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC430180398780
Current User Name: Asma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/11 20:59:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asma\Desktop\OTL.exe
PRC - [2010/03/24 12:12:53 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2010/03/24 12:12:49 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2010/03/24 12:12:46 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/10/06 09:20:12 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/10/06 09:20:09 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/10/06 09:20:08 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2005/12/07 13:56:56 | 000,409,600 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2005/10/21 11:48:08 | 000,483,414 | R--- | M] () -- C:\Program Files\HPQ\Shared\HpqToaster.exe
PRC - [2005/10/20 09:15:00 | 000,102,400 | ---- | M] () -- C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
PRC - [2005/10/20 09:15:00 | 000,090,112 | ---- | M] () -- C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe


========== Modules (SafeList) ==========

MOD - [2010/07/11 20:59:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asma\Desktop\OTL.exe
MOD - [2010/07/06 01:26:58 | 000,212,480 | ---- | M] () -- C:\WINDOWS\system32\expsrv32.dll
MOD - [2008/04/13 19:11:52 | 000,367,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dsound.dll
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/24 12:12:46 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/10/06 09:20:08 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/09/03 11:53:00 | 000,048,368 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2006/07/25 18:03:42 | 002,119,360 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/07/25 18:03:42 | 000,100,032 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2005/10/20 09:15:00 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe -- (USBDeviceService)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/10/06 09:20:11 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/10/06 09:20:11 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/01 09:42:18 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2005/12/17 07:17:56 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel(R)
DRV - [2005/11/30 01:34:56 | 000,050,560 | ---- | M] (Micro Vision Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mvc25U870.sys -- (Mvc25U870_VID_1262&PID_25FD)
DRV - [2005/11/22 14:55:00 | 000,506,880 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2005/11/15 23:28:32 | 000,028,928 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/11/11 01:50:38 | 000,191,936 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/10/31 21:08:00 | 000,308,992 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/10/31 20:54:50 | 000,051,584 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/10/12 20:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2005/08/21 19:07:00 | 001,035,008 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/08/21 19:06:16 | 000,201,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/08/21 19:06:10 | 000,718,464 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/08/18 03:22:54 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/05/05 13:04:08 | 000,007,936 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2005/05/05 13:04:04 | 000,005,760 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EabUsb.sys -- (eabusb)
DRV - [2001/08/17 15:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2001/08/17 10:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 09 61 50 12 DC D4 D9 41 82 04 E5 0B 1A EA FE F6 [binary data]
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {0ad6df8f-dbcf-46fa-afe0-86743b424500}:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/28 09:11:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/11 20:47:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2009/04/16 20:52:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.3.4\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2010/07/11 20:47:00 | 000,000,000 | ---D | M]

[2010/07/06 01:11:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Asma\Application Data\Mozilla\Extensions
[2010/07/06 01:11:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Asma\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/07/11 20:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions
[2010/07/11 20:56:43 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}
[2009/04/08 16:08:04 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/09/12 05:25:41 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/07/11 20:30:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/11 20:29:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/11 20:29:20 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {12506109-D4DC-41D9-8204-E50B1AEAFEF6} - C:\WINDOWS\system32\dgsetup32.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (40d566e3) - {41B6D98C-F1EC-E901-9D2B-B2F74DC5222F} - C:\WINDOWS\system32\expsrv32.dll ()
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [RecGuard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\DOCUME~1\Asma\LOCALS~1\Temp\3.tmp ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: PackageCab [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\expsrv32.dll) - C:\WINDOWS\system32\expsrv32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\30a636b6967: DllName - C:\WINDOWS\system32\expsrv32.dll - C:\WINDOWS\system32\expsrv32.dll ()
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Asma\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Asma\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 23:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 15:01:14 | 000,000,053 | -HS- | M] () - D:\AUTORUN.FCB -- [ FAT32 ]
O32 - AutoRun File - [2006/07/08 15:43:22 | 000,000,090 | ---- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: vsmon - C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/11 20:59:30 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Asma\Desktop\OTL.exe
[2010/07/11 20:46:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/07/11 20:42:41 | 027,386,256 | ---- | C] ( ) -- C:\Documents and Settings\Asma\Desktop\AdbeRdr930_en_US(2).exe
[2010/07/11 20:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Desktop\JavaRa
[2010/07/11 20:29:38 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/11 20:29:38 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/11 20:29:38 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/11 20:29:38 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/11 20:14:54 | 016,066,336 | ---- | C] (Oracle) -- C:\Documents and Settings\Asma\Desktop\jre-6u21-windows-i586.exe
[2010/07/11 19:53:24 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/11 19:49:49 | 000,921,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Asma\Desktop\jxpiinstall.exe
[2010/07/06 01:27:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Application Data\WinRAR
[2010/07/06 01:27:32 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
[2010/07/06 01:27:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\43274705
[2010/07/06 01:27:09 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Asma\Application Data\SystemProc
[2010/07/06 01:10:21 | 000,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2010/07/05 23:43:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Desktop\Unused Desktop Shortcuts
[2010/07/01 00:24:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Desktop\Ultima VII - Part 2 - Serpent Isle(2)
[2010/07/01 00:23:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Desktop\Ultima VII - Part 1 - The Black Gate
[2010/06/30 23:42:07 | 000,000,000 | ---D | C] -- C:\Program Files\Exult
[2010/06/30 23:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\WINDOWS
[2010/06/30 16:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Application Data\FloodLightGames
[2010/06/30 16:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FloodLightGames
[2010/06/28 00:36:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Application Data\Mariaglorum
[2010/06/24 17:03:29 | 000,000,000 | ---D | C] -- C:\Program Files\PuppetShow - Mystery of Joyville
[2010/06/24 02:11:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Application Data\BigFishv1002
[2010/06/23 17:07:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\My Documents\BigTimeGames
[2010/06/22 17:07:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/06/22 17:01:05 | 000,000,000 | ---D | C] -- C:\Program Files\Midnight Mysteries - Salem Witch Trials
[2010/06/21 00:05:23 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\WINDOWS\IsUn0804.exe
[2010/06/17 18:07:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\My Documents\Lights, Camera, Curses
[2010/06/17 18:01:50 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2010/06/17 18:01:50 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2010/06/17 18:01:49 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2010/06/17 18:01:49 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2010/06/17 18:01:49 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2010/06/17 18:01:48 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2010/06/17 18:01:48 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2010/06/17 18:01:48 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2010/06/17 18:01:47 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2010/06/17 18:01:47 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2010/06/17 18:01:46 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2010/06/17 18:01:46 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2010/06/17 18:01:46 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2010/06/17 18:01:45 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2010/06/17 18:01:45 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2010/06/17 18:01:44 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2010/06/17 18:01:44 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2010/06/17 18:01:44 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2010/06/17 18:01:44 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2010/06/17 18:01:43 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2010/06/17 18:01:42 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2010/06/17 18:01:42 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2010/06/17 18:01:42 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2010/06/17 18:01:41 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2010/06/17 18:01:41 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2010/06/17 18:01:41 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2010/06/17 18:01:40 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2010/06/17 18:01:38 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2010/06/17 18:01:38 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2010/06/17 18:01:37 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2010/06/17 18:01:37 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2010/06/17 18:01:36 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2010/06/17 18:01:35 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2010/06/17 18:01:33 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2010/06/17 18:01:31 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2010/06/17 18:01:31 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2010/06/17 18:01:29 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2010/06/17 18:01:28 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2010/06/17 18:01:28 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2010/06/17 18:01:27 | 003,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2010/06/17 18:01:27 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2010/06/17 18:01:27 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2010/06/17 18:01:26 | 002,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2010/06/17 18:01:26 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2010/06/17 18:01:25 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2010/06/17 18:01:25 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2010/06/17 18:01:25 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2010/06/17 18:01:24 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2010/06/17 18:01:16 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2010/06/17 18:01:15 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2010/06/17 18:01:15 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2010/06/17 18:01:14 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2010/06/17 18:01:13 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2010/06/17 18:01:13 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2010/06/17 18:01:13 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2010/06/17 18:01:12 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2010/06/17 18:01:11 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2010/06/17 18:01:09 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2010/06/17 17:45:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2010/06/17 00:25:15 | 000,000,000 | ---D | C] -- C:\Program Files\Strange Cases - The Tarot Card Mystery
[2010/06/13 02:58:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asma\Application Data\SulusGames
[2010/06/13 02:58:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SulusGames
[1472 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Asma\Desktop\*.tmp files -> C:\Documents and Settings\Asma\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Asma\*.tmp files -> C:\Documents and Settings\Asma\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/11 21:00:05 | 000,000,817 | ---- | M] () -- C:\WINDOWS\System32\816199350
[2010/07/11 20:59:30 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asma\Desktop\OTL.exe
[2010/07/11 20:53:32 | 000,001,123 | -HS- | M] () -- C:\hpqp.ini
[2010/07/11 20:53:23 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini
[2010/07/11 20:53:16 | 000,004,041 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967P.manifest
[2010/07/11 20:53:01 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\dgsetup32.dll
[2010/07/11 20:52:40 | 000,000,623 | -HS- | M] () -- C:\WINDOWS\System32\1626760934
[2010/07/11 20:52:14 | 000,350,192 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/07/11 20:52:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/11 20:52:08 | 000,000,138 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967O.manifest
[2010/07/11 20:52:08 | 000,000,051 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967C.manifest
[2010/07/11 20:52:08 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967S.manifest
[2010/07/11 20:52:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/11 20:52:04 | 1063,309,312 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/11 20:50:53 | 003,145,728 | -H-- | M] () -- C:\Documents and Settings\Asma\NTUSER.DAT
[2010/07/11 20:50:53 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Asma\ntuser.ini
[2010/07/11 20:47:01 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/11 20:43:53 | 027,386,256 | ---- | M] ( ) -- C:\Documents and Settings\Asma\Desktop\AdbeRdr930_en_US(2).exe
[2010/07/11 20:33:14 | 000,071,798 | ---- | M] () -- C:\Documents and Settings\Asma\Desktop\JavaRa.zip
[2010/07/11 20:29:20 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/11 20:29:20 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/11 20:29:20 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/11 20:29:20 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/11 20:29:20 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/11 20:26:18 | 000,000,074 | ---- | M] () -- C:\WINDOWS\System32\602631b1
[2010/07/11 20:18:22 | 016,066,336 | ---- | M] (Oracle) -- C:\Documents and Settings\Asma\Desktop\jre-6u21-windows-i586.exe
[2010/07/11 19:49:50 | 000,921,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Asma\Desktop\jxpiinstall.exe
[2010/07/11 19:08:42 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\deploytk32.dll
[2010/07/11 07:02:38 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\d3dx10_3732.dll
[2010/07/11 03:21:58 | 000,003,096 | ---- | M] () -- C:\WINDOWS\GnuHashes.ini
[2010/07/11 03:13:36 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\ddraw32.dll
[2010/07/11 03:08:40 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\dciman3232.dll
[2010/07/11 03:00:03 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\avtapi32.dll
[2010/07/10 18:50:34 | 061,846,327 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/10 12:39:04 | 000,325,120 | ---- | M] () -- C:\WINDOWS\System32\d3dx9_3632.dll
[2010/07/06 02:00:11 | 000,316,928 | ---- | M] () -- C:\WINDOWS\System32\catsrv32.dll
[2010/07/06 01:30:33 | 000,316,928 | ---- | M] () -- C:\WINDOWS\System32\dot3gpclnt32.dll
[2010/07/06 01:27:17 | 000,203,776 | -HS- | M] () -- C:\WINDOWS\System32\unrar.exe
[2010/07/06 01:27:02 | 000,316,928 | ---- | M] () -- C:\WINDOWS\System32\cryptsvc32.dll
[2010/07/06 01:26:58 | 000,212,480 | ---- | M] () -- C:\WINDOWS\System32\expsrv32.dll
[2010/06/30 23:40:56 | 002,078,114 | ---- | M] () -- C:\Documents and Settings\Asma\Desktop\exult-1.2-win32.exe
[2010/06/29 17:04:38 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/06/29 17:04:38 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/21 09:45:58 | 000,007,249 | ---- | M] () -- C:\Documents and Settings\Asma\.recently-used.xbel
[2010/06/17 18:55:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Curses.INI
[1472 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Asma\Desktop\*.tmp files -> C:\Documents and Settings\Asma\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\Asma\*.tmp files -> C:\Documents and Settings\Asma\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/11 20:53:01 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\dgsetup32.dll
[2010/07/11 20:47:01 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/11 20:33:14 | 000,071,798 | ---- | C] () -- C:\Documents and Settings\Asma\Desktop\JavaRa.zip
[2010/07/11 19:08:42 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\deploytk32.dll
[2010/07/11 07:02:38 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\d3dx10_3732.dll
[2010/07/11 03:13:36 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\ddraw32.dll
[2010/07/11 03:08:40 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\dciman3232.dll
[2010/07/11 03:00:03 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\avtapi32.dll
[2010/07/10 12:39:04 | 000,325,120 | ---- | C] () -- C:\WINDOWS\System32\d3dx9_3632.dll
[2010/07/06 04:44:13 | 000,000,074 | ---- | C] () -- C:\WINDOWS\System32\602631b1
[2010/07/06 02:00:11 | 000,316,928 | ---- | C] () -- C:\WINDOWS\System32\catsrv32.dll
[2010/07/06 01:35:13 | 000,003,096 | ---- | C] () -- C:\WINDOWS\GnuHashes.ini
[2010/07/06 01:30:33 | 000,316,928 | ---- | C] () -- C:\WINDOWS\System32\dot3gpclnt32.dll
[2010/07/06 01:27:51 | 000,000,623 | -HS- | C] () -- C:\WINDOWS\System32\1626760934
[2010/07/06 01:27:50 | 000,000,817 | ---- | C] () -- C:\WINDOWS\System32\816199350
[2010/07/06 01:27:17 | 000,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2010/07/06 01:27:02 | 000,316,928 | ---- | C] () -- C:\WINDOWS\System32\cryptsvc32.dll
[2010/07/06 01:27:01 | 000,004,041 | -HS- | C] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967P.manifest
[2010/07/06 01:27:01 | 000,000,138 | -HS- | C] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967O.manifest
[2010/07/06 01:27:01 | 000,000,051 | -HS- | C] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967C.manifest
[2010/07/06 01:27:01 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967S.manifest
[2010/07/06 01:26:58 | 000,212,480 | ---- | C] () -- C:\WINDOWS\System32\expsrv32.dll
[2010/07/05 23:45:24 | 002,180,008 | ---- | C] () -- C:\Documents and Settings\Asma\My Documents\rasberryants.pdf
[2010/06/30 23:40:56 | 002,078,114 | ---- | C] () -- C:\Documents and Settings\Asma\Desktop\exult-1.2-win32.exe
[2010/06/29 17:04:38 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2010/06/29 17:04:38 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2010/06/21 09:45:58 | 000,007,249 | ---- | C] () -- C:\Documents and Settings\Asma\.recently-used.xbel
[2010/06/17 18:55:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Curses.INI
[2009/04/13 23:49:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/13 13:21:24 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2005/12/28 12:04:20 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2005/12/28 11:49:32 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/12/28 11:47:25 | 000,000,166 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2005/12/28 11:43:02 | 000,028,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/11/01 14:02:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/05/05 21:06:32 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2004/08/07 08:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini


******Continued below*******

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Mon 12 Jul 2010, 2:47 pm

Hi, Welcome to GeekPolice.net!

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Mon 12 Jul 2010, 2:56 pm

*****Continued*****

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1472 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[1472 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/07 00:45:26 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/07 00:45:26 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/07 00:45:26 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 03:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 03:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 03:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 03:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 03:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 03:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 03:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 03:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 03:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 03:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 03:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2005/11/10 11:37:10 | 000,032,356 | ---- | M] (Phoenix Technologies K.K.) -- C:\WINDOWS\system32\pusbfd1.sys
[2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\vsdatant.sys
[2008/04/13 13:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/02 00:22:50 | 001,851,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[1472 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 19:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 19:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 19:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 19:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 19:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 19:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 19:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 19:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 19:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 19:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 19:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 19:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 19:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 19:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 19:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll
[2004/08/04 03:00:00 | 000,071,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\_002721_.tmp.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2009/04/08 15:46:16 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/07/11 20:52:04 | 1063,309,312 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/11 20:53:32 | 000,001,123 | -HS- | M] () -- C:\hpqp.ini
[2010/06/29 17:04:38 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/07/11 20:35:53 | 000,008,004 | ---- | M] () -- C:\JavaRa.log
[2010/06/29 17:04:38 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\ntdetect.com
[2009/04/09 09:27:33 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/11 20:52:02 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2005/12/28 12:23:07 | 000,020,362 | ---- | M] () -- C:\sunjava.log
[2009/04/08 12:37:09 | 000,000,510 | ---- | M] () -- C:\updatedatfix.log
[2009/04/08 15:49:38 | 000,002,402 | ---- | M] () -- C:\WLANREG.TXT
[2010/07/11 20:53:23 | 000,000,039 | ---- | M] () -- C:\XP_TV.ini

< %PROGRAMFILES%\*. >
[2009/04/08 16:16:38 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/04/16 20:51:32 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/04/08 14:37:17 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/04/05 02:13:30 | 000,000,000 | ---D | M] -- C:\Program Files\bfgclient
[2010/07/11 20:46:01 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2005/12/28 11:20:13 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/04/08 14:14:09 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2010/06/30 23:53:51 | 000,000,000 | ---D | M] -- C:\Program Files\Exult
[2010/02/18 18:28:08 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2009/04/08 14:14:10 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/04/13 13:23:17 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/04/13 13:49:11 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/04/08 14:15:34 | 000,000,000 | ---D | M] -- C:\Program Files\HP Rhapsody
[2009/04/08 15:42:32 | 000,000,000 | ---D | M] -- C:\Program Files\HPQ
[2009/04/08 14:15:47 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/06/11 00:02:08 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/03/09 14:57:11 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/07/06 04:34:55 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2010/03/09 10:59:49 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/09 09:40:31 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/04/13 23:48:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/07/06 02:21:10 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2009/04/08 14:15:59 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/04/08 14:16:16 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Money 2006
[2009/04/13 23:48:15 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/04/08 14:16:17 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office Trial Wizard
[2010/06/05 12:39:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/04/08 14:16:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/06/22 18:07:54 | 000,000,000 | ---D | M] -- C:\Program Files\Midnight Mysteries - Salem Witch Trials
[2010/03/10 17:03:24 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/06/28 09:12:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/04/08 14:16:46 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/04/08 14:16:49 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Encarta Plus
[2009/04/08 14:16:49 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/04/08 14:41:23 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/04/08 14:16:49 | 000,000,000 | ---D | M] -- C:\Program Files\music_now
[2009/04/08 14:16:49 | 000,000,000 | ---D | M] -- C:\Program Files\muvee Technologies
[2009/04/09 09:29:55 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2009/04/08 14:17:03 | 000,000,000 | ---D | M] -- C:\Program Files\Netscape
[2009/09/12 05:25:43 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2009/04/08 14:18:24 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 20:09:16 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/06/24 18:07:20 | 000,000,000 | ---D | M] -- C:\Program Files\PuppetShow - Mystery of Joyville
[2010/06/30 23:54:25 | 000,000,000 | ---D | M] -- C:\Program Files\Quicken
[2009/04/08 14:18:48 | 000,000,000 | ---D | M] -- C:\Program Files\Quickensetup
[2009/05/17 00:36:26 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/04/08 14:19:35 | 000,000,000 | ---D | M] -- C:\Program Files\Sonic
[2010/06/17 01:30:19 | 000,000,000 | ---D | M] -- C:\Program Files\Strange Cases - The Tarot Card Mystery
[2009/04/08 15:55:47 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2009/04/08 14:19:37 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2005/12/28 11:20:13 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/04/08 14:19:41 | 000,000,000 | ---D | M] -- C:\Program Files\WildTangent
[2009/04/08 21:35:09 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/04/09 09:29:52 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/04/09 09:29:51 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2005/12/28 11:20:13 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/04/08 14:22:50 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/04/08 14:50:00 | 000,000,000 | ---D | M] -- C:\Program Files\Zone Labs

< %appdata%\*.* >
[2010/07/11 20:52:08 | 000,000,051 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967C.manifest
[2010/07/11 20:52:08 | 000,000,138 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967O.manifest
[2010/07/11 20:53:16 | 000,004,041 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967P.manifest
[2010/07/11 20:52:08 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\020000009475cf9c967S.manifest
[2004/08/07 00:46:48 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Asma\Application Data\desktop.ini
[2009/04/24 22:40:46 | 000,064,568 | ---- | M] () -- C:\Documents and Settings\Asma\Application Data\GDIPFONTCACHEV1.DAT


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 19:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:disk.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 03:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/12 20:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\SWSETUP\HDD\iastor.sys
[2005/10/12 20:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:usbstor.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2009/04/08 13:16:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-09 02:59:48

========== Alternate Data Streams ==========

@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:123A86B5
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAB64002
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:16ADBA30
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A7BF72D
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D6B89CE
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:147A3409
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F84B8DB5
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:737160C1
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF5B3572
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D055FC10
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D351BC6
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24876EB6
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E29063FF
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5FFC2819
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEB25EAE
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55F44B88
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32A82570
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E51234A9
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98982C88
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:71612023
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6CDBCAC
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6FD3C973
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6407DD2D
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ED51D3ED
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D31BE97C
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BF6C81B2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:393F7B1E
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE47A3DA
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C76CFF82
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D3CE40A
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E32966C0
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1ECED34B
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28CDD861
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB97DB91
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5E9B629B
< End of report >


Here is Extras.txt


OTL Extras logfile created on: 7/11/2010 9:01:37 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Asma\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 65.69 Gb Total Space | 43.26 Gb Free Space | 65.86% Space Free | Partition Type: NTFS
Drive D: | 7.82 Gb Total Space | 0.56 Gb Free Space | 7.13% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC430180398780
Current User Name: Asma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24BEBF2E-73F3-4599-840B-EDC612CCDD0D}" = Destinations
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{2818095F-FB6C-42C8-827E-0A406CC9AFF5}" = Quicken 2006
"{286F29AF-0BE2-4D5F-AB17-B7631A810553}" = muvee autoProducer 4.5
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{34F3FCF1-817B-4D61-B6AF-19D9486AFEA0}" = Unload
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 B3
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 2.0
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{58C62A8E-E628-4822-A0F2-BBE10329D53F}" = HP User Guides 0009
"{5F26311C-B135-4F7F-B11E-8E650F83651E}" = DeviceFunctionQFolder
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91477C6F-EC7C-4BFC-BBE1-E45908019DED}" = LightScribe 1.4.52.1
"{A01FC76F-CC09-4658-9E37-5C2F635EE708}" = TourSetup
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}" = SmartAudio
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{B4D279F1-4309-49cc-A4B5-3A0D2E59C7B5}" = PanoStandAlone
"{BC96BBA7-C634-460E-AD18-A0A994213F80}" = HP User Guides--System Recovery
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.20 F2
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F1670367-C07F-411f-A196-79D2C65CBEC0}" = PS8200
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"074EEF5F-3BE8-4112-B253-C5D6CDE2924C" = Zuma Deluxe from Hewlett-Packard Laptops (remove only)
"0E5266B4-9069-401A-93AE-5FF9F1712016" = Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
"103EFD47-9F2C-4490-95DD-AE6C442AFB92" = SCRABBLE from Hewlett-Packard Laptops (remove only)
"1C3FDBBA-EBF7-4CDB-AD8A-A1125734AF86" = Tradewinds from Hewlett-Packard Laptops (remove only)
"320F055A-570F-4335-B026-16A836DB9549" = Final Drive Nitro from Hewlett-Packard Laptops (remove only)
"382C11F0-1A18-4F76-B8E0-15CA7F209C22" = Chuzzle Deluxe from Hewlett-Packard Laptops (remove only)
"384E0BF4-1E1F-45A6-B60E-42144A3F15CD" = Blackhawk Striker 2 from Hewlett-Packard Laptops (remove only)
"4C061F83-EE92-445A-A03F-184B0BD59242" = Jewel Quest from Hewlett-Packard Laptops (remove only)
"5658FB14-16A4-4DAE-946B-1457BE31572E" = Boggle Supreme from Hewlett-Packard Laptops (remove only)
"5758A0E8-A112-4A1D-82EC-EC72F7F16B88" = Lexibox Deluxe from Hewlett-Packard Laptops (remove only)
"5DE4D54F-AA79-43A4-9C8A-C173E7E2B025" = 5 Card Slingo from Hewlett-Packard Laptops (remove only)
"6E377D95-DF37-4E67-B64B-68C314600BCB" = Bejeweled 2 Deluxe from Hewlett-Packard Laptops (remove only)
"6ECB6EE6-92E1-4525-AF3B-3CE51A7C5F89" = FATE from Hewlett-Packard Laptops (remove only)
"7948472C-423F-4134-B68F-48D660A05D71" = Big Kahuna Reef from Hewlett-Packard Laptops (remove only)
"7A940E33-6993-404B-ABA6-ED62E8FBE615" = Bounce Symphony from Hewlett-Packard Laptops (remove only)
"7ED8A70C-9597-40BE-AEA0-0573182F1F51" = Super Granny from Hewlett-Packard Laptops (remove only)
"7F8C5718-1BA9-4AAE-96D2-2B04D05F2D54" = Polar Bowler from Hewlett-Packard Laptops (remove only)
"9F3399B2-9ED6-4339-84A2-686432638B86" = Blasterball 2 from Hewlett-Packard Laptops (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG8Uninstall" = AVG 8.5
"B0202B33-E73D-4FCD-AC88-0B2971AFC116" = Slyder from Hewlett-Packard Laptops (remove only)
"B0769D17-E72A-4E87-A83F-1F7A3F080008" = Bookworm Deluxe from Hewlett-Packard Laptops (remove only)
"BFGC" = Big Fish Games: Game Manager
"C264D692-8E15-4141-96A2-5621332E5DD0" = Slingo Deluxe from Hewlett-Packard Laptops (remove only)
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_qta30a0k" = HDAUDIO Soft Data Fax Modem with SmartCP
"D2E44AA4-8665-4490-A6C9-2D0744B47B27" = Polar Golfer from Hewlett-Packard Laptops (remove only)
"DED8E2B5-BA9F-448F-84E8-0AEF79876F95" = Snowboard SuperJam
"E332F38A-75F6-4EF2-88CC-246E8A1CB5D7" = Oasis from Hewlett-Packard Laptops (remove only)
"E76A7EFF-7758-49EE-B3FA-9699830A2D6B" = Mah Jong Quest from Hewlett-Packard Laptops (remove only)
"E90E3AE9-73E4-4E5C-BB0F-673989A808D0" = Lemonade Tycoon 2 from Hewlett-Packard Laptops (remove only)
"E94C7046-2F7D-4D4D-B76F-C412DCCEAAC2" = Crystal Maze from Hewlett-Packard Laptops (remove only)
"EF860173-4FB7-4DE1-8BE8-5400F05A0DC5" = Puzzle Express from Hewlett-Packard Laptops (remove only)
"Exult" = Exult Version 1.2
"F2566CC2-D4C4-44ED-A838-3F8288D8D3FE" = Flip Words from Hewlett-Packard Laptops (remove only)
"HijackThis" = HijackThis 2.0.2
"HP Game Console" = HP Game Console and games
"HP Imaging Device Functions" = HP Imaging Device Functions 6.0
"HP Rhapsody" = HP Rhapsody
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{23012310-3E05-46A5-88A9-C6CBCABCAC79}" = Customer Experience Enhancement
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Money2006b" = Microsoft Money 2006
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Netscape Browser" = Netscape Browser (remove only)
"PROSet" = Intel(R) PRO Network Connections Drivers
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.6
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/8/2010 9:23:17 PM | Computer Name = PC430180398780 | Source = Application Hang | ID = 1002
Description = Hanging application Exult.exe, version 1.2.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/8/2010 9:23:36 PM | Computer Name = PC430180398780 | Source = Application Hang | ID = 1002
Description = Hanging application Exult.exe, version 1.2.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/9/2010 2:42:32 PM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00010fa6.

Error - 7/9/2010 2:43:01 PM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 7/9/2010 6:33:10 PM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module expsrv32.dll, version 0.0.0.0, fault address 0x00001dfe.

Error - 7/11/2010 3:59:11 AM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module expsrv32.dll, version 0.0.0.0, fault address 0x00001dfe.

Error - 7/11/2010 4:03:30 AM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 7/11/2010 4:07:58 AM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module expsrv32.dll, version 0.0.0.0, fault address 0x0001073c.

Error - 7/11/2010 4:09:36 AM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 7/11/2010 9:35:17 PM | Computer Name = PC430180398780 | Source = Application Error | ID = 1000
Description = Faulting application javara.exe, version 1.15.0.1745, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

[ System Events ]
Error - 7/11/2010 9:40:26 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:26 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:26 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/11/2010 9:40:27 PM | Computer Name = PC430180398780 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Mon 12 Jul 2010, 3:48 pm

Here is the ComboFix log:

ComboFix 10-07-11.03 - Asma 07/11/2010 23:28:42.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.194 [GMT -5:00]
Running from: c:\documents and settings\Asma\Desktop\Commy.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Asma\LOCALS~1\Temp\1.wmv
c:\documents and settings\Asma\Application Data\020000009475cf9c967C.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967O.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967P.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967S.manifest
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}\chrome.manifest
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}\chrome\xulcache.jar
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}\defaults\preferences\xulcache.js
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{0ad6df8f-dbcf-46fa-afe0-86743b424500}\install.rdf
c:\documents and settings\Asma\Application Data\SystemProc
c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe
c:\windows\GnuHashes.ini
c:\windows\SET11C8.tmp
c:\windows\SET27D6.tmp
c:\windows\SET3EC3.tmp
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000061_.tmp.dll
c:\windows\system32\_000075_.tmp.dll
c:\windows\system32\_000078_.tmp.dll
c:\windows\system32\_000088_.tmp.dll
c:\windows\system32\_000093_.tmp.dll
c:\windows\system32\_000094_.tmp.dll
c:\windows\system32\_000099_.tmp.dll
c:\windows\system32\_000101_.tmp.dll
c:\windows\system32\_000106_.tmp.dll
c:\windows\system32\_000108_.tmp.dll
c:\windows\system32\_000109_.tmp.dll
c:\windows\system32\_000111_.tmp.dll
c:\windows\system32\_000112_.tmp.dll
c:\windows\system32\_002748_.tmp.dll
c:\windows\system32\_002749_.tmp.dll
c:\windows\system32\_002750_.tmp.dll
c:\windows\system32\_002751_.tmp.dll
c:\windows\system32\_002758_.tmp.dll
c:\windows\system32\_002760_.tmp.dll
c:\windows\system32\_002761_.tmp.dll
c:\windows\system32\_002763_.tmp.dll
c:\windows\system32\_002764_.tmp.dll
c:\windows\system32\_002767_.tmp.dll
c:\windows\system32\_002768_.tmp.dll
c:\windows\system32\_002770_.tmp.dll
c:\windows\system32\_002771_.tmp.dll
c:\windows\system32\_002772_.tmp.dll
c:\windows\system32\_002774_.tmp.dll
c:\windows\system32\_002777_.tmp.dll
c:\windows\system32\_002778_.tmp.dll
c:\windows\system32\_002782_.tmp.dll
c:\windows\system32\_002783_.tmp.dll
c:\windows\system32\_002785_.tmp.dll
c:\windows\system32\_002788_.tmp.dll
c:\windows\system32\_002790_.tmp.dll
c:\windows\system32\_002792_.tmp.dll
c:\windows\system32\_002793_.tmp.dll
c:\windows\system32\_002794_.tmp.dll
c:\windows\system32\_002797_.tmp.dll
c:\windows\system32\_002798_.tmp.dll
c:\windows\system32\_002799_.tmp.dll
c:\windows\system32\_002800_.tmp.dll
c:\windows\system32\_002801_.tmp.dll
c:\windows\system32\_002806_.tmp.dll
c:\windows\system32\_002808_.tmp.dll
c:\windows\system32\_002809_.tmp.dll
c:\windows\system32\_005238_.tmp.dll
c:\windows\system32\_005246_.tmp.dll
c:\windows\system32\_005252_.tmp.dll
c:\windows\system32\_005256_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005266_.tmp.dll
c:\windows\system32\_005273_.tmp.dll
c:\windows\system32\_005284_.tmp.dll
c:\windows\system32\_005285_.tmp.dll
c:\windows\system32\_005295_.tmp.dll
c:\windows\system32\_005298_.tmp.dll
c:\windows\system32\_005308_.tmp.dll
c:\windows\system32\43274705
c:\windows\system32\DCIMAN3232.DLL
c:\windows\system32\ddraw32.dll
c:\windows\system32\DGSETUP32.DLL
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\@u1794927852v0
c:\windows\system32\SysWoW32\_u1794927852v0
c:\windows\system32\SysWoW32\_u1794927852v2
c:\windows\system32\SysWoW32\mu1794927852v4
c:\windows\system32\SysWoW32\mu1794927852v4.kwd
c:\windows\system32\SysWoW32\mu1794927852v5
c:\windows\system32\SysWoW32\mu1794927852v5.kwd
c:\windows\system32\SysWoW32\mu1794927852v6
c:\windows\system32\SysWoW32\mu1794927852v6.kwd
c:\windows\system32\SysWoW32\mu1794927852v7
c:\windows\system32\SysWoW32\mu1794927852v7.kwd
c:\windows\system32\SysWoW32\wu1794927852v0
c:\windows\system32\SysWoW32\wu1794927852v0.kwd
c:\windows\system32\SysWoW32\wu1794927852v1
c:\windows\system32\SysWoW32\wu1794927852v1.kwd
c:\windows\system32\SysWoW32\wu1794927852v2
c:\windows\system32\SysWoW32\wu1794927852v2.kwd
c:\windows\system32\SysWoW32\wu1794927852v3
c:\windows\system32\SysWoW32\wu1794927852v3.kwd
c:\windows\system32\unrar.exe
c:\windows\xpsp1hfm.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-12 04:37 . 2010-07-12 04:37 203776 --sh--w- c:\windows\system32\unrar.exe
2010-07-12 04:37 . 2010-07-12 04:37 -------- d-sh--w- c:\documents and settings\Asma\Application Data\SystemProc
2010-07-12 01:46 . 2010-07-12 01:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-12 00:53 . 2010-07-12 01:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 00:08 . 2010-07-12 00:08 325120 ----a-w- c:\windows\system32\deploytk32.dll
2010-07-11 12:02 . 2010-07-11 12:02 325120 ----a-w- c:\windows\system32\d3dx10_3732.dll
2010-07-11 08:00 . 2010-07-11 08:00 325120 ----a-w- c:\windows\system32\avtapi32.dll
2010-07-10 17:39 . 2010-07-10 17:39 325120 ----a-w- c:\windows\system32\d3dx9_3632.dll
2010-07-06 07:00 . 2010-07-06 07:00 316928 ----a-w- c:\windows\system32\catsrv32.dll
2010-07-06 06:30 . 2010-07-06 06:30 316928 ----a-w- c:\windows\system32\dot3gpclnt32.dll
2010-07-06 06:27 . 2010-07-06 06:27 316928 ----a-w- c:\windows\system32\cryptsvc32.dll
2010-07-06 06:26 . 2010-07-06 06:26 212480 ----a-w- c:\windows\system32\expsrv32.dll
2010-07-06 06:10 . 2010-07-06 09:34 -------- d-----w- c:\program files\LimeWire
2010-07-01 04:42 . 2010-07-01 04:53 -------- d-----w- c:\program files\Exult
2010-07-01 04:41 . 2010-07-01 04:41 -------- d-----w- c:\documents and settings\Asma\WINDOWS
2010-06-30 21:18 . 2010-06-30 21:18 -------- d-----w- c:\documents and settings\Asma\Application Data\FloodLightGames
2010-06-30 21:18 . 2010-06-30 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\FloodLightGames
2010-06-28 05:36 . 2010-06-28 05:36 -------- d-----w- c:\documents and settings\Asma\Application Data\Mariaglorum
2010-06-24 22:03 . 2010-06-24 23:07 -------- d-----w- c:\program files\PuppetShow - Mystery of Joyville
2010-06-24 07:11 . 2010-06-24 07:11 -------- d-----w- c:\documents and settings\Asma\Application Data\BigFishv1002
2010-06-22 22:07 . 2010-06-22 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-06-22 22:01 . 2010-06-22 23:07 -------- d-----w- c:\program files\Midnight Mysteries - Salem Witch Trials
2010-06-21 05:05 . 1998-11-13 15:55 306688 ----a-w- c:\windows\IsUn0804.exe
2010-06-17 22:45 . 2010-06-17 22:45 -------- d-----w- c:\windows\Logs
2010-06-17 05:25 . 2010-06-17 06:30 -------- d-----w- c:\program files\Strange Cases - The Tarot Card Mystery
2010-06-13 07:58 . 2010-06-29 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2010-06-13 07:58 . 2010-06-17 05:28 -------- d-----w- c:\documents and settings\Asma\Application Data\SulusGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 04:37 . 2010-07-12 04:37 325120 ----a-w- c:\windows\system32\dpvoice32.dll
2010-07-12 04:37 . 2010-07-12 04:37 143360 --sha-w- c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe
2010-07-12 04:37 . 2010-07-12 04:37 1107456 --sha-w- c:\windows\system32\3.tmp
2010-07-12 01:30 . 2005-12-28 17:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 00:53 . 2010-07-12 00:53 503808 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\msvcp71.dll
2010-07-12 00:53 . 2010-07-12 00:53 499712 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\jmc.dll
2010-07-12 00:53 . 2010-07-12 00:53 348160 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\msvcr71.dll
2010-07-12 00:53 . 2010-07-12 00:53 61440 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f333cf5-n\decora-sse.dll
2010-07-12 00:53 . 2010-07-12 00:53 12800 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f333cf5-n\decora-d3d.dll
2010-07-12 00:08 . 2009-04-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-06 06:47 . 2010-07-06 06:47 0 ---ha-w- c:\documents and settings\Asma\jubjnqbciw.tmp
2010-07-06 06:27 . 2010-07-06 06:27 1103872 --sha-w- c:\windows\system32\6C5.tmp
2010-07-01 04:54 . 2005-12-28 16:47 -------- d-----w- c:\program files\Quicken
2010-06-30 22:58 . 2010-04-05 07:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-30 07:57 . 2010-05-21 04:38 -------- d-----w- c:\documents and settings\Asma\Application Data\Flood Light Games
2010-06-30 07:57 . 2010-05-21 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-06-28 22:21 . 2010-04-07 23:45 -------- d-----w- c:\documents and settings\Asma\Application Data\Big Fish Games
2010-06-24 22:06 . 2010-04-05 22:35 -------- d-----w- c:\documents and settings\Asma\Application Data\ERS G-Studio
2010-06-21 14:45 . 2009-04-21 19:28 -------- d-----w- c:\documents and settings\Asma\Application Data\gtk-2.0
2010-06-19 15:37 . 2009-04-14 20:49 40351839 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-05 17:39 . 2009-07-04 14:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 07:28 . 2010-05-18 23:02 -------- d-----w- c:\documents and settings\Asma\Application Data\PlayFirst
2010-05-19 07:28 . 2010-05-18 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-05-09 23:14 . 2009-04-08 20:47 60256 ----a-w- c:\documents and settings\Asma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2009-04-08 19:16 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12506109-D4DC-41D9-8204-E50B1AEAFEF6}]
2010-07-12 04:37 325120 ----a-w- c:\windows\system32\dpvoice32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41B6D98C-F1EC-E901-9D2B-B2F74DC5222F}]
2010-07-06 06:26 212480 ----a-w- c:\windows\system32\expsrv32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-11-22 61952]
"DetectorApp"="c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-24 2046816]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe" [2010-07-12 143360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30a636b6967]
2010-07-06 06:26 212480 ----a-w- c:\windows\system32\expsrv32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-06 14:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\explorer.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/8/2009 2:37 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/8/2009 2:37 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/8/2009 2:37 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/8/2009 2:37 PM 297752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: PackageCab - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\Asma\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Asma\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\documents and settings\Asma\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-11 23:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????"?n??|?????? ???B?????????????hLC? ??????
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\dpvoice32.dll 325120 bytes executable
c:\windows\system32\unrar.exe 203776 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\expsrv32.dll

- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\expsrv32.dll
c:\windows\system32\3.tmp
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-07-11 23:42:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 04:42

Pre-Run: 46,301,782,016 bytes free
Post-Run: 47,322,406,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - AE52B10EF17270518EEBF273D0EC0743

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Mon 12 Jul 2010, 7:24 pm

Hi,

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Killall::

    File::
    c:\windows\system32\unrar.exe
    c:\windows\system32\expsrv32.dll
    c:\windows\system32\cryptsvc32.dll
    c:\windows\system32\dot3gpclnt32.dll
    c:\windows\system32\catsrv32.dll
    c:\windows\system32\d3dx9_3632.dll
    c:\windows\system32\avtapi32.dll
    c:\windows\system32\d3dx10_3732.dll
    c:\windows\system32\deploytk32.dll
    c:\windows\system32\dpvoice32.dll
    c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe
    c:\windows\system32\3.tmp
    c:\documents and settings\Asma\jubjnqbciw.tmp
    c:\windows\system32\6C5.tmp

    Folder::
    c:\documents and settings\Asma\Application Data\SystemProc

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "RTHDBPL"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30a636b6967]

    Dirlook::
    c:\documents and settings\Asma\WINDOWS

    Reboot::

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Tue 13 Jul 2010, 12:26 pm

Here is the log:

ComboFix 10-07-11.03 - Asma 07/12/2010 20:09:52.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.437 [GMT -5:00]
Running from: c:\documents and settings\Asma\Desktop\Commy.exe
Command switches used :: c:\documents and settings\Asma\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe"
"c:\documents and settings\Asma\jubjnqbciw.tmp"
"c:\windows\system32\3.tmp"
"c:\windows\system32\6C5.tmp"
"c:\windows\system32\avtapi32.dll"
"c:\windows\system32\catsrv32.dll"
"c:\windows\system32\cryptsvc32.dll"
"c:\windows\system32\d3dx10_3732.dll"
"c:\windows\system32\d3dx9_3632.dll"
"c:\windows\system32\deploytk32.dll"
"c:\windows\system32\dot3gpclnt32.dll"
"c:\windows\system32\dpvoice32.dll"
"c:\windows\system32\expsrv32.dll"
"c:\windows\system32\unrar.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Asma\Application Data\020000009475cf9c967C.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967O.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967P.manifest
c:\documents and settings\Asma\Application Data\020000009475cf9c967S.manifest
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{922b7e70-d616-459a-b176-e40c630423b2}
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{922b7e70-d616-459a-b176-e40c630423b2}\chrome.manifest
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{922b7e70-d616-459a-b176-e40c630423b2}\chrome\xulcache.jar
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{922b7e70-d616-459a-b176-e40c630423b2}\defaults\preferences\xulcache.js
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{922b7e70-d616-459a-b176-e40c630423b2}\install.rdf
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{f4c783c5-3e17-455c-8dfc-ef6d01c2269f}
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{f4c783c5-3e17-455c-8dfc-ef6d01c2269f}\chrome.manifest
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{f4c783c5-3e17-455c-8dfc-ef6d01c2269f}\chrome\xulcache.jar
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{f4c783c5-3e17-455c-8dfc-ef6d01c2269f}\defaults\preferences\xulcache.js
c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{f4c783c5-3e17-455c-8dfc-ef6d01c2269f}\install.rdf
c:\documents and settings\Asma\Application Data\SystemProc
c:\documents and settings\Asma\Application Data\SystemProc\lsass.exe
c:\documents and settings\Asma\jubjnqbciw.tmp
c:\windows\system32\3.tmp
c:\windows\system32\43274705
c:\windows\system32\6C5.tmp
c:\windows\system32\avtapi32.dll
c:\windows\system32\catsrv32.dll
c:\windows\system32\cryptsvc32.dll
c:\windows\system32\d3dx10_3732.dll
c:\windows\system32\d3dx9_3632.dll
c:\windows\system32\deploytk32.dll
c:\windows\system32\dot3gpclnt32.dll
c:\windows\system32\DPVOICE32.DLL
c:\windows\system32\expsrv32.dll
c:\windows\system32\unrar.exe

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-12 01:46 . 2010-07-12 01:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-12 00:53 . 2010-07-12 01:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 06:10 . 2010-07-06 09:34 -------- d-----w- c:\program files\LimeWire
2010-07-01 04:42 . 2010-07-01 04:53 -------- d-----w- c:\program files\Exult
2010-07-01 04:41 . 2010-07-01 04:41 -------- d-----w- c:\documents and settings\Asma\WINDOWS
2010-06-30 21:18 . 2010-06-30 21:18 -------- d-----w- c:\documents and settings\Asma\Application Data\FloodLightGames
2010-06-30 21:18 . 2010-06-30 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\FloodLightGames
2010-06-28 05:36 . 2010-06-28 05:36 -------- d-----w- c:\documents and settings\Asma\Application Data\Mariaglorum
2010-06-24 22:03 . 2010-06-24 23:07 -------- d-----w- c:\program files\PuppetShow - Mystery of Joyville
2010-06-24 07:11 . 2010-06-24 07:11 -------- d-----w- c:\documents and settings\Asma\Application Data\BigFishv1002
2010-06-22 22:07 . 2010-06-22 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2010-06-22 22:01 . 2010-06-22 23:07 -------- d-----w- c:\program files\Midnight Mysteries - Salem Witch Trials
2010-06-21 05:05 . 1998-11-13 15:55 306688 ----a-w- c:\windows\IsUn0804.exe
2010-06-17 22:45 . 2010-06-17 22:45 -------- d-----w- c:\windows\Logs
2010-06-17 05:25 . 2010-06-17 06:30 -------- d-----w- c:\program files\Strange Cases - The Tarot Card Mystery
2010-06-13 07:58 . 2010-06-29 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2010-06-13 07:58 . 2010-06-17 05:28 -------- d-----w- c:\documents and settings\Asma\Application Data\SulusGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 01:30 . 2005-12-28 17:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 00:53 . 2010-07-12 00:53 503808 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\msvcp71.dll
2010-07-12 00:53 . 2010-07-12 00:53 499712 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\jmc.dll
2010-07-12 00:53 . 2010-07-12 00:53 348160 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6852db7f-n\msvcr71.dll
2010-07-12 00:53 . 2010-07-12 00:53 61440 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f333cf5-n\decora-sse.dll
2010-07-12 00:53 . 2010-07-12 00:53 12800 ----a-w- c:\documents and settings\Asma\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2f333cf5-n\decora-d3d.dll
2010-07-12 00:08 . 2009-04-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-07-01 04:54 . 2005-12-28 16:47 -------- d-----w- c:\program files\Quicken
2010-06-30 22:58 . 2010-04-05 07:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-30 07:57 . 2010-05-21 04:38 -------- d-----w- c:\documents and settings\Asma\Application Data\Flood Light Games
2010-06-30 07:57 . 2010-05-21 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-06-28 22:21 . 2010-04-07 23:45 -------- d-----w- c:\documents and settings\Asma\Application Data\Big Fish Games
2010-06-24 22:06 . 2010-04-05 22:35 -------- d-----w- c:\documents and settings\Asma\Application Data\ERS G-Studio
2010-06-21 14:45 . 2009-04-21 19:28 -------- d-----w- c:\documents and settings\Asma\Application Data\gtk-2.0
2010-06-19 15:37 . 2009-04-14 20:49 40351839 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-06-05 17:39 . 2009-07-04 14:18 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 07:28 . 2010-05-18 23:02 -------- d-----w- c:\documents and settings\Asma\Application Data\PlayFirst
2010-05-19 07:28 . 2010-05-18 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-05-09 23:14 . 2009-04-08 20:47 60256 ----a-w- c:\documents and settings\Asma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2009-04-08 19:16 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Asma\WINDOWS ----



((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 01:17 . 2010-07-13 01:17 16384 c:\windows\temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:03 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-11-22 61952]
"DetectorApp"="c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe" [2005-10-20 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-11 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-11-16 503808]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-05-18 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2005-10-28 679936]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-24 2046816]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-06 14:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/8/2009 2:37 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/8/2009 2:37 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/8/2009 2:37 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/8/2009 2:37 PM 297752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
DPF: PackageCab - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\documents and settings\Asma\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Asma\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Asma\Application Data\Mozilla\Firefox\Profiles\aekeh6rv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{12506109-D4DC-41D9-8204-E50B1AEAFEF6} - c:\windows\system32\dpvoice32.dll
BHO-{41B6D98C-F1EC-E901-9D2B-B2F74DC5222F} - c:\windows\system32\expsrv32.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\SHARED\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-07-12 20:21:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-13 01:21
ComboFix2.txt 2010-07-12 04:42

Pre-Run: 47,198,613,504 bytes free
Post-Run: 47,174,881,280 bytes free

- - End Of File - - A1946EC002384E304422468A3A076B97

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Tue 13 Jul 2010, 12:39 pm

Hi,

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Tue 13 Jul 2010, 2:17 pm

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4307

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/12/2010 10:10:34 PM
mbam-log-2010-07-12 (22-10-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 213401
Time elapsed: 1 hour(s), 0 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\dciman3232.dll.vir (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddraw32.dll.vir (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dgsetup32.dll.vir (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\expsrv32.dll.vir (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059076.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059071.exe (Adware.FLVPlayer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059073.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059074.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059075.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059077.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059079.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059080.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059081.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059082.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059083.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059084.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059086.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP651\A0059087.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP657\A0059894.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP657\A0059895.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP657\A0059919.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060586.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060647.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060648.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060649.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060856.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060857.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060858.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060859.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060860.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060861.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060862.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060863.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060864.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060865.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0060872.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Tue 13 Jul 2010, 2:18 pm

Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Tue 13 Jul 2010, 4:21 pm

Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0de1514fd025cb46aa89c752a2d58442
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-13 05:10:47
# local_time=2010-07-13 12:10:47 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1028 16777173 100 97 0 39686223 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 74 39684640 46337006 0 0
# scanned=81389
# found=2
# cleaned=2
# scan_time=5786
C:\Program Files\HPQ\Default Settings\CpqsetVer.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\[4]-Submit_2010-07-12_20.09.23.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Wed 14 Jul 2010, 2:50 am

Hi,

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=====

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun XP or Vista/7

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

10. Always keep your Java and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit [You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Persephone on Wed 14 Jul 2010, 5:36 am

Thanks so much for your help!!

Persephone

Newbie Surfer
Newbie Surfer

Posts : 34
Joined : 2009-04-03
Operating System : XP

View user profile

Back to top Go down

Re: Redirects and several Trojans

Post by Sneakyone on Wed 14 Jul 2010, 8:16 am

You're welcome, glad I could help.


I'm livin' life in the fast lane.


Sneakyone

Tech Officer
Tech Officer

Posts : 2707
Joined : 2010-01-10
Operating System : Windows 7 Ultimate 64-bit

View user profile http://twitter.com/AVerySneakyone

Back to top Go down

Re: Redirects and several Trojans

Post by Sponsored content Today at 9:44 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum