OTL not working

View previous topic View next topic Go down

OTL not working

Post by mooglechan on Sun Mar 20, 2011 1:23 am

Hello,

I've downloaded all the updates as instructed on the welcome page, but OTL is not working. When I try to open it, it says OTL is not a valid Win32 application. Help?!

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Sun Mar 20, 2011 5:36 pm

Hi there mooglechan!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst IŽm helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. IŽm here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end! If your computer starts running better, doesnŽt mean it is clean yet!

====================

Time to bring out ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit [You must be registered and logged in to see this link.] and read the tutorial on using ComboFix very carefully. After that proceed to download ComboFix, but rename it during the download, to make sure the malware does not interfere.

The easiest is to download using Internet Explorer. If you insist on using Mozilla Firefox, you have to make a change to its configuration:
Tools >> Options >> General >> Downloads >> select Always ask me where to save files.

Use one of the links in the guide to download ComboFix and when your browser asks you where to save it, change the name of the file to svchost.exe and save it to your desktop.



Doubleclick svchost.exe to run the tool. Please post its log back here.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Sun Mar 20, 2011 6:08 pm

Thank you so much for your help, Gabethebabe! You rock on so many levels.

I renamed the combofix file before downloading it like you instructed, but it's still not working. I think it might not have downloaded properly because it turned into one of those blank window generic application icons on my desktop with a file size of 0 bytes. And that annoying error message pops up when I double-clicked on it: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

It's the same as when I tried to open spybot and OTL. ??

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Sun Mar 20, 2011 6:51 pm

And now I've had to switch to another computer because I can't access the internet on the virus-infected one. I think a program called XP Anti-Virus 2011 is causing the trouble.

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Mon Mar 21, 2011 10:58 am

Aha, that explains why our tools are not running Annoyed or Unimpress

Careful now, XP Anti-Virus 2011 is rogue software. For an explanation of this term you can consult e.g. [You must be registered and logged in to see this link.]. Whatever you do, do not buy a license for this program. If you already did, you have been scammed. In that case I suggest you contact your financial institution and see if you can revert the payment.

The first thing we are going to do is try and temporarily disable the rogue, to get rid of all the annoying popups and allow us to actually do something. For this we use RKill.

====================

Please download RKill by Grinler from Download Mirror #1 and save it to your desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double click the RKill desktop icon (rightclick > Run as Administrator for Vista/WIN7).
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and try using Mirror #2
  • Continue process until the tool runs.
  • Important: RKill only temporarily disables the malware. If you reboot the computer, it will be active again. So do not reboot until we kill the infection.


====================

Since you cannot access your infected computer, you will have to download the required tools from your clean computer and move them to the infected computer with some removable media, for example burn it to a CD or write it to an USB flash disk.

If you use an USB flash disk, I highly recommend you to immunize it first, to prevent malware using the usb flash drive for spreading itself.

Please download Flash_Disinfector by sUBs from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool
  • When requested, insert the USB flash disk(s) you want to to immunize/disinfect
  • Hold down the Shift key when inserting the drive(s) until Windows detects the drive
  • Click OK to start the disinfection process
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that you choose to disinfect. Do not delete that folder!

====================

Besides RKill (I recommend you download all 7 versions and save them to your CD/USB stick) you will also need OTL to run the OTL scan. So make sure OTL.exe is also saved to the CD/USB stick.
IŽll repeat the instructions for OTL:

Please download OTL by OldTimer from [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys
%systemroot%\system32\drivers\*.dll
%systemroot%\system32\drivers\*.ini
%systemroot%\system32\drivers\*.exe
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.
/md5start
atapi.sys
explorer.exe
iastor.sys
userinit.exe
winlogon.exe
/md5stop
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need to use two posts to get it all.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Mon Mar 21, 2011 4:59 pm

Finally got OTL to work!! Here's the log:

OTL logfile created on: 3/21/2011 8:35:54 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = E:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 499.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.12 Gb Total Space | 56.38 Gb Free Space | 77.10% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 3.68 Gb Free Space | 98.78% Space Free | Partition Type: FAT32

Computer Name: USER-21823D6F05 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/21 08:34:50 | 000,146,160 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\e2e47pgfa.exe
PRC - [2011/03/21 08:32:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- E:\OTL.com
PRC - [2011/03/19 17:21:03 | 000,339,968 | -HS- | M] (Valve Corporation) -- C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe
PRC - [2011/03/19 17:19:10 | 000,133,120 | ---- | M] () -- C:\WINDOWS\system32\tukdtjsr.exe
PRC - [2011/03/19 17:19:10 | 000,015,360 | ---- | M] (微软中国) -- C:\WINDOWS\system32\dgjasr46w.exe
PRC - [2011/03/19 17:19:08 | 000,146,160 | ---- | M] () -- C:\WINDOWS\system32\tukdtjsrx.exe
PRC - [2011/03/19 17:18:54 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\zitui1.exe
PRC - [2011/03/19 17:15:55 | 001,041,920 | ---- | M] () -- C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884\ansi70sepmod.exe
PRC - [2010/02/25 22:10:20 | 021,979,992 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2010/01/15 05:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/08/19 11:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 11:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2007/10/08 15:18:04 | 000,995,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2007/10/08 15:15:50 | 000,356,352 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2007/10/08 15:13:36 | 001,101,824 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2007/10/08 15:09:26 | 000,659,456 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/05/10 11:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
PRC - [2004/08/04 03:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 03:00:00 | 000,087,040 | -H-- | M] () -- C:\WINDOWS\hig39gahir.exe


========== Modules (SafeList) ==========

MOD - [2011/03/21 08:32:04 | 000,580,608 | ---- | M] (OldTimer Tools) -- E:\OTL.com
MOD - [2004/08/04 03:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 03:00:00 | 000,373,760 | ---- | M] () -- C:\WINDOWS\ifilodip.dll
MOD - [2004/08/04 03:00:00 | 000,249,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\odbc32.dll
MOD - [2004/08/04 03:00:00 | 000,098,816 | ---- | M] () -- C:\WINDOWS\dmocpso.dll
MOD - [2004/08/04 03:00:00 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll
MOD - [2004/08/04 03:00:00 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\odbcint.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (nosGetPlusHelper) getPlus(R)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/01/15 05:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/02/06 10:14:03 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\Nwsapagents.dll -- (Nwsapagent)
SRV - [2007/10/08 15:15:50 | 000,356,352 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2007/09/26 07:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007/08/27 12:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/05/10 11:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/11/21 05:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.GeekPolice.net/t26443-otl-not-working#179430|http://www.bleepingcomputer.com/combofix/how-to-use-combofix"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: {051D3ACE-2713-4BA7-B11C-B18DE29BBB12}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}: C:\Documents and Settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12} [2011/03/19 17:18:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/11 15:25:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/19 18:10:05 | 000,000,000 | ---D | M]

[2010/01/15 15:36:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/03/20 07:29:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\qf44x5cv.default\extensions
[2011/03/19 18:11:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/19 18:10:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/04/16 13:40:34 | 000,000,000 | ---D | M] (Move Media Player) -- C:\DOCUMENTS AND SETTINGS\USER\APPLICATION DATA\MOVE NETWORKS
[2011/03/19 17:18:39 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\APPLICATION DATA\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
[2010/01/12 08:55:03 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/13 15:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2011/03/21 08:34:40 | 000,000,779 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [tukdtjsr] C:\WINDOWS\system32\tukdtjsr.exe ()
O4 - HKLM..\Run: [tukdtjsrx] C:\WINDOWS\system32\tukdtjsrx.exe ()
O4 - HKLM..\Run: [Vbeliw] C:\WINDOWS\ifilodip.dll ()
O4 - HKCU..\Run: [ansi70sepmod.exe] C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884\ansi70sepmod.exe ()
O4 - HKCU..\Run: [Psedaratiqefamet] C:\WINDOWS\dmocpso.dll ()
O4 - HKLM..\RunOnce: [*adslauditscan.exe] C:\Documents and Settings\All Users\Start Menu\Programs\adslauditscan.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fpact = C:\DOCUME~1\User\LOCALS~1\Temp\zitui1.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: dyrjnsrn = C:\WINDOWS\hig39gahir.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fthsjesb = C:\WINDOWS\hig39gahir.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: cnet.com ([download] https in Trusted sites)
O15 - HKCU\..Trusted Domains: download.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: infospyware.net ([www] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/11 00:21:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{ee52b211-336f-11df-b4fc-0015c5231e41}\Shell\AutoRun\command - "" = E:\setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe" -a "%1" %* (Valve Corporation)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe" -a "%1" %* (Valve Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - C:\WINDOWS\system32\Nwsapagents.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (70945304882446336)

========== Files/Folders - Created Within 30 Days ==========

[2011/03/19 18:31:54 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/03/19 18:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/03/19 18:11:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/03/19 18:11:34 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/03/19 18:10:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/03/19 18:10:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/03/19 18:10:05 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/19 18:10:05 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/03/19 18:10:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/03/19 18:10:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/03/19 18:07:44 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/03/19 18:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/03/19 17:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/03/19 17:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/03/19 17:21:03 | 000,339,968 | -HS- | C] (Valve Corporation) -- C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe
[2011/03/19 17:19:28 | 000,062,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2011/03/19 17:19:10 | 000,015,360 | ---- | C] (微软中国) -- C:\WINDOWS\System32\dgjasr46w.exe
[2011/03/19 17:18:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\OfferBox
[2011/03/19 17:18:57 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox
[2011/03/19 17:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
[2011/03/19 17:15:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884
[2011/03/19 17:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Hakuouki Shinsengumi Kitan - Hyakka Ryouran
[2011/03/19 16:56:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\hakuouki shinsengumi
[2011/03/11 08:22:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/21 08:37:34 | 000,001,361 | -H-- | M] () -- C:\WINDOWS\mlog
[2011/03/21 08:34:20 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dvofejemilapey.dat
[2011/03/21 08:33:39 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wseyab.bin
[2011/03/21 08:33:18 | 000,012,824 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/21 08:33:17 | 000,012,824 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/21 08:32:42 | 000,062,940 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/21 08:32:42 | 000,017,882 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/03/21 08:32:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/21 08:32:16 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/20 11:44:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\What Do You Want From Me. I am an admin assistant and have no money. please leave me alone. i just want to get some work done while i have the weekend off. Please..exe
[2011/03/20 11:25:59 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ChromeSetup.exe
[2011/03/20 11:03:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\svchost.exe
[2011/03/20 10:53:53 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/20 07:59:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spybotsd162.exe
[2011/03/20 07:52:32 | 000,164,879 | ---- | M] () -- C:\Documents and Settings\User\Desktop\system.JPG
[2011/03/20 07:45:42 | 000,150,649 | ---- | M] () -- C:\Documents and Settings\User\Desktop\untitled.bmp
[2011/03/19 18:11:35 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/03/19 17:21:03 | 000,339,968 | -HS- | M] (Valve Corporation) -- C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe
[2011/03/19 17:19:28 | 000,062,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2011/03/19 17:19:11 | 000,000,040 | ---- | M] () -- C:\WINDOWS\System32\service.sys
[2011/03/19 17:19:10 | 000,133,120 | ---- | M] () -- C:\WINDOWS\System32\tukdtjsr.exe
[2011/03/19 17:19:10 | 000,015,360 | ---- | M] (微软中国) -- C:\WINDOWS\System32\dgjasr46w.exe
[2011/03/19 17:19:08 | 000,146,160 | ---- | M] () -- C:\WINDOWS\System32\tukdtjsrx.exe
[2011/03/19 14:48:07 | 000,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/19 14:48:07 | 000,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/19 14:46:33 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/13 08:13:55 | 000,088,456 | ---- | M] () -- C:\Documents and Settings\User\Desktop\TPT2-DISCUSSION.pdf
[2011/03/13 08:02:31 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2011/03/11 08:22:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/07 21:13:23 | 001,347,065 | ---- | M] () -- C:\Documents and Settings\User\Desktop\TPT1-EBOOK.pdf
[2011/03/07 21:13:08 | 000,970,072 | ---- | M] () -- C:\Documents and Settings\User\Desktop\TPT1_1.03.2011.pdf
[2011/03/02 10:00:42 | 000,003,712 | ---- | M] () -- C:\Documents and Settings\User\Desktop\gp-musicals.wpl
[2011/03/02 09:49:24 | 000,003,547 | ---- | M] () -- C:\Documents and Settings\User\Desktop\spn-tpt.wpl
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/20 11:55:24 | 000,147,968 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\adslauditscan.exe
[2011/03/20 11:40:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Desktop\What Do You Want From Me. I am an admin assistant and have no money. please leave me alone. i just want to get some work done while i have the weekend off. Please..exe
[2011/03/20 11:25:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ChromeSetup.exe
[2011/03/20 11:03:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Desktop\svchost.exe
[2011/03/20 07:58:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\My Documents\spybotsd162.exe
[2011/03/20 07:52:32 | 000,164,879 | ---- | C] () -- C:\Documents and Settings\User\Desktop\system.JPG
[2011/03/20 07:45:06 | 000,150,649 | ---- | C] () -- C:\Documents and Settings\User\Desktop\untitled.bmp
[2011/03/19 18:11:35 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/03/19 17:55:37 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/19 17:21:12 | 000,012,824 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/19 17:21:12 | 000,012,824 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
[2011/03/19 17:19:30 | 000,001,361 | -H-- | C] () -- C:\WINDOWS\mlog
[2011/03/19 17:19:11 | 000,000,040 | ---- | C] () -- C:\WINDOWS\System32\service.sys
[2011/03/19 17:19:10 | 000,133,120 | ---- | C] () -- C:\WINDOWS\System32\tukdtjsr.exe
[2011/03/19 17:19:01 | 000,146,160 | ---- | C] () -- C:\WINDOWS\System32\tukdtjsrx.exe
[2011/03/19 17:18:40 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Dvofejemilapey.dat
[2011/03/19 17:18:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wseyab.bin
[2011/03/13 08:13:54 | 000,088,456 | ---- | C] () -- C:\Documents and Settings\User\Desktop\TPT2-DISCUSSION.pdf
[2011/03/07 21:13:17 | 001,347,065 | ---- | C] () -- C:\Documents and Settings\User\Desktop\TPT1-EBOOK.pdf
[2011/03/07 21:12:49 | 000,970,072 | ---- | C] () -- C:\Documents and Settings\User\Desktop\TPT1_1.03.2011.pdf
[2011/03/02 10:00:42 | 000,003,712 | ---- | C] () -- C:\Documents and Settings\User\Desktop\gp-musicals.wpl
[2011/03/02 09:49:24 | 000,003,547 | ---- | C] () -- C:\Documents and Settings\User\Desktop\spn-tpt.wpl
[2010/09/17 09:14:07 | 000,027,868 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/02/05 17:48:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/18 18:09:15 | 000,090,624 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/15 15:35:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/01/12 08:26:46 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2010/01/12 08:25:40 | 000,017,882 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2010/01/12 08:25:02 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2010/01/12 08:25:02 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2010/01/12 08:24:59 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/01/12 08:24:59 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2010/01/12 08:24:58 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/01/12 08:24:57 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/01/12 08:24:57 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/01/12 08:24:57 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/01/12 08:24:56 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2010/01/12 08:22:40 | 000,376,832 | ---- | C] () -- C:\WINDOWS\System32\AegisI5Installer.exe
[2010/01/11 00:24:36 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/01/11 00:18:56 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/01/10 16:13:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/10 16:11:49 | 000,130,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/03/22 11:48:43 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 11:48:43 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 03:00:00 | 000,373,760 | ---- | C] () -- C:\WINDOWS\ifilodip.dll
[2004/08/04 03:00:00 | 000,312,172 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 03:00:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\dmocpso.dll
[2004/08/04 03:00:00 | 000,087,040 | -H-- | C] () -- C:\WINDOWS\hig39gahir.exe
[2004/08/04 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 03:00:00 | 000,040,394 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 03:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 03:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 03:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/04 03:00:00 | 000,000,009 | ---- | C] () -- C:\WINDOWS\System32\comsats.sys

========== Custom Scans ==========


< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/01/11 00:21:24 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/01/11 00:21:49 | 000,000,294 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/01/11 00:27:39 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/01/11 00:27:38 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2011/03/20 11:25:59 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ChromeSetup.exe
[2011/03/20 11:03:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\svchost.exe
[2011/03/20 11:44:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\Desktop\What Do You Want From Me. I am an admin assistant and have no money. please leave me alone. i just want to get some work done while i have the weekend off. Please..exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >
[2011/03/20 07:59:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\My Documents\spybotsd162.exe

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2010/12/11 15:25:45 | 000,122,328 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2010/12/11 15:25:46 | 000,910,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2010/12/11 15:25:51 | 000,246,744 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/01/11 00:27:38 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\User\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2004/08/04 03:00:00 | 000,344,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\hnetcfg.dll
[2004/08/04 03:00:00 | 001,392,671 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/01/10 16:10:47 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/10 16:10:47 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/10 16:10:46 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2004/08/04 03:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2004/08/04 03:00:00 | 000,000,009 | ---- | M] () -- C:\WINDOWS\system32\comsats.sys
[2004/08/04 03:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2004/08/04 03:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2004/08/04 03:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2004/08/04 03:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2004/08/04 03:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2004/08/04 03:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2004/08/04 03:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2004/08/04 03:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 03:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 03:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 03:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 03:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2011/03/19 17:19:11 | 000,000,040 | ---- | M] () -- C:\WINDOWS\system32\service.sys
[2004/08/04 03:00:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/01 22:56:34 | 001,850,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %SYSTEMDRIVE%\*.* >
[2010/01/11 00:21:46 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/01/11 00:16:03 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/11 00:21:46 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2011/03/21 08:32:16 | 1072,103,424 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/11 00:21:46 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/11 00:21:46 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 03:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2011/03/21 08:32:15 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%\*. >
[2010/01/29 14:30:18 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/11/28 18:39:17 | 000,000,000 | ---D | M] -- C:\Program Files\Amazon
[2010/06/26 07:31:12 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/01/15 21:08:43 | 000,000,000 | ---D | M] -- C:\Program Files\Audacity
[2010/05/21 10:48:34 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/06/26 07:30:29 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/01/12 08:27:27 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom
[2011/03/19 18:10:24 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/01/11 00:18:49 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/01/11 00:30:08 | 000,000,000 | ---D | M] -- C:\Program Files\Dell
[2010/01/12 08:26:53 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2010/07/03 17:21:17 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/07/03 17:23:39 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/01/12 08:27:53 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/01/12 08:23:38 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/06/09 09:26:02 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/08/21 21:11:04 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/08/21 21:11:52 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2011/03/19 18:10:01 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/01/12 08:55:32 | 000,000,000 | ---D | M] -- C:\Program Files\JRE
[2011/03/19 18:11:34 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee Security Scan
[2010/01/15 21:54:27 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/02/05 17:46:35 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/02/05 17:46:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/03/11 10:41:47 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/03/20 11:58:59 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/01/11 00:17:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2010/01/11 00:18:11 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/01/15 21:52:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010/01/11 00:19:45 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/03/20 11:28:42 | 000,000,000 | ---D | M] -- C:\Program Files\OfferBox
[2010/01/11 00:18:19 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/01/12 08:55:30 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 3
[2010/05/15 20:59:46 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/07/09 18:58:29 | 000,000,000 | ---D | M] -- C:\Program Files\PhotoScape
[2010/06/26 07:31:51 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/10/26 08:21:36 | 000,000,000 | ---D | M] -- C:\Program Files\Scrivener
[2010/01/12 08:27:53 | 000,000,000 | ---D | M] -- C:\Program Files\SigmaTel
[2010/01/12 08:53:26 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2010/01/12 08:24:36 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2010/01/11 00:27:28 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/01/29 14:42:20 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/01/29 15:45:00 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp
[2010/01/29 15:43:12 | 000,000,000 | ---D | M] -- C:\Program Files\Winamp Detect
[2010/01/29 15:36:10 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/01/29 15:36:08 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/01/11 00:18:02 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/01/11 00:20:35 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/01/15 15:55:53 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/01/11 00:22:14 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/05/31 09:40:29 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo! Games

< %appdata%\*.* >
[2010/01/10 16:12:34 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\User\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 03:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2004/08/04 03:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\drivers\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 14:35:02 | 000,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/10/18 15:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\nvata.sys

< MD5 for: NVATABUS.SYS >
[2006/10/18 14:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) MD5=EF9941593B2E9B436F64A87DDB570D1A -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< MD5 for: SYMMPI.SYS >
[2007/02/09 20:06:00 | 000,100,096 | ---- | M] (LSI Logic) MD5=A42F863305943869BA00A613C8EE8C7E -- C:\WINDOWS\dell\symmpi\symmpi.sys

< MD5 for: USBSTOR.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS
[2008/04/13 11:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-15 17:12:40

< End of report >

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Mon Mar 21, 2011 5:00 pm

And here is the Extras log:

OTL Extras logfile created on: 3/21/2011 8:35:54 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = E:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 499.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 73.12 Gb Total Space | 56.38 Gb Free Space | 77.10% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 3.68 Gb Free Space | 98.78% Space Free | Partition Type: FAT32

Computer Name: USER-21823D6F05 | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = exefile] -- C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe (Valve Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1"
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0
"EnableFirewall" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()
"C:\WINDOWS\hig39gahir.exe" = C:\WINDOWS\hig39gahir.exe:*:Enabled:hig39gahir.exe -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 24
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A8964DB2-33FA-093F-D3EE-C6B7C1C00C3A}" = Chocolatier
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"Audacity_is1" = Audacity 1.2.6
"Chocolatier" = Chocolatier (remove only)
"ie8" = Windows Internet Explorer 8
"McAfee Security Scan" = McAfee Security Scan Plus
"Mozilla Firefox (3.5.16)" = Mozilla Firefox (3.5.16)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoScape" = PhotoScape
"ProInst" = Intel(R) PROSet/Wireless Software
"Scrivener for Windows Beta 1" = Scrivener for Windows Beta
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.1.2
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Antimalware Doctor" = Antimalware Doctor
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/13/2010 5:09:13 PM | Computer Name = USER-21823D6F05 | Source = Application Hang | ID = 1001
Description = Fault bucket 01984595.

Error - 11/14/2010 5:06:49 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/14/2010 5:06:49 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1953

Error - 11/14/2010 5:06:49 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1953

Error - 11/20/2010 6:13:20 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/20/2010 6:13:20 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1985

Error - 11/20/2010 6:13:20 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1985

Error - 11/20/2010 6:13:22 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/20/2010 6:13:22 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4188

Error - 11/20/2010 6:13:22 PM | Computer Name = USER-21823D6F05 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4188

[ System Events ]
Error - 3/20/2011 2:32:24 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 3/20/2011 2:32:27 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 3/20/2011 2:32:31 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7034
Description = The TCP/IP NetBIOS Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/20/2011 2:32:31 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7034
Description = The SSDP Discovery Service service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/20/2011 2:32:34 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7034
Description = The DNS Client service terminated unexpectedly. It has done this
1 time(s).

Error - 3/20/2011 2:32:38 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7031
Description = The Remote Procedure Call (RPC) service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Reboot the machine.

Error - 3/20/2011 2:40:17 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 3/20/2011 2:46:54 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7034
Description = The Intel(R) PROSet/Wireless Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/20/2011 2:55:11 PM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 3/21/2011 11:37:28 AM | Computer Name = USER-21823D6F05 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460


< End of report >

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Mon Mar 21, 2011 7:19 pm

Ugh, that is a nice collection of malicious processes. Lets start slaughtering them.
  • Please run OTL.exe again
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:files
C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884
C:\Documents and Settings\User\Local Settings\Temp\e2e47pgfa.exe
C:\WINDOWS\system32\tukdtjsr.exe
C:\WINDOWS\system32\dgjasr46w.exe
C:\WINDOWS\system32\tukdtjsrx.exe
C:\Documents and Settings\User\Local Settings\Temp\zitui1.exe
C:\WINDOWS\hig39gahir.exe
C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe
C:\Documents and Settings\All Users\Start Menu\Programs\adslauditscan.exe
C:\WINDOWS\Dvofejemilapey.dat
C:\WINDOWS\Wseyab.bin
C:\Documents and Settings\All Users\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
C:\Documents and Settings\User\Local Settings\Application Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8
C:\Program Files\OfferBox
C:\Documents and Settings\User\Application Data\OfferBox


:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\hig39gahir.exe"=-

:otl
PRC - [2011/03/21 08:34:50 | 000,146,160 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\e2e47pgfa.exe
PRC - [2011/03/19 17:21:03 | 000,339,968 | -HS- | M] (Valve Corporation) -- C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe
PRC - [2011/03/19 17:19:10 | 000,133,120 | ---- | M] () -- C:\WINDOWS\system32\tukdtjsr.exe
PRC - [2011/03/19 17:19:10 | 000,015,360 | ---- | M] (微软中国) -- C:\WINDOWS\system32\dgjasr46w.exe
PRC - [2011/03/19 17:19:08 | 000,146,160 | ---- | M] () -- C:\WINDOWS\system32\tukdtjsrx.exe
PRC - [2011/03/19 17:18:54 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\zitui1.exe
PRC - [2011/03/19 17:15:55 | 001,041,920 | ---- | M] () -- C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884\ansi70sepmod.exe
PRC - [2004/08/04 03:00:00 | 000,087,040 | -H-- | M] () -- C:\WINDOWS\hig39gahir.exe
O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O4 - HKLM..\Run: [tukdtjsr] C:\WINDOWS\system32\tukdtjsr.exe ()
O4 - HKLM..\Run: [tukdtjsrx] C:\WINDOWS\system32\tukdtjsrx.exe ()
O4 - HKLM..\Run: [Vbeliw] C:\WINDOWS\ifilodip.dll ()
O4 - HKCU..\Run: [ansi70sepmod.exe] C:\Documents and Settings\User\Application Data\0AB157276B5A9C4829482DA48061C884\ansi70sepmod.exe ()
O4 - HKCU..\Run: [Psedaratiqefamet] C:\WINDOWS\dmocpso.dll ()
O4 - HKLM..\RunOnce: [*adslauditscan.exe] C:\Documents and Settings\All Users\Start Menu\Programs\adslauditscan.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fpact = C:\DOCUME~1\User\LOCALS~1\Temp\zitui1.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: dyrjnsrn = C:\WINDOWS\hig39gahir.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: fthsjesb = C:\WINDOWS\hig39gahir.exe ()
O15 - HKCU\..Trusted Domains: cnet.com ([download] https in Trusted sites)
O15 - HKCU\..Trusted Domains: download.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: infospyware.net ([www] https in Trusted sites)
O33 - MountPoints2\{ee52b211-336f-11df-b4fc-0015c5231e41}\Shell\AutoRun\command - "" = E:\setupSNK.exe
O35 - HKCU\..exefile [open] -- "C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe" -a "%1" %* (Valve Corporation)
O37 - HKCU\...exe [@ = exefile] -- "C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe" -a "%1" %* (Valve Corporation)

:commands
[reboot]
  • Then click the Run Fix button at the top.
  • Allow it to run. It may take some time and you may see some things happen to your desktop - this is normal.
  • If it asks to reboot the computer, allow it to reboot.
  • If the program freezes, and the computer fails to reboot - let me know.
  • Finally, post the contents of the log. (Located at C:\_OTL\Moved Files)

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Tue Mar 22, 2011 2:14 am

Sorry for taking so long to reply. Things are just crazy....

========== FILES ==========
C:\Documents and Settings\User\Application

Data\0AB157276B5A9C4829482DA48061C884 folder moved successfully.
C:\Documents and Settings\User\Local Settings\Temp\e2e47pgfa.exe moved

successfully.
C:\WINDOWS\system32\tukdtjsr.exe moved successfully.
C:\WINDOWS\system32\dgjasr46w.exe moved successfully.
C:\WINDOWS\system32\tukdtjsrx.exe moved successfully.
C:\Documents and Settings\User\Local Settings\Temp\zitui1.exe moved

successfully.
C:\WINDOWS\hig39gahir.exe moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\ikd.exe

moved successfully.
C:\Documents and Settings\All Users\Start

Menu\Programs\adslauditscan.exe moved successfully.
C:\WINDOWS\Dvofejemilapey.dat moved successfully.
C:\WINDOWS\Wseyab.bin moved successfully.
C:\Documents and Settings\All Users\Application

Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8 moved successfully.
C:\Documents and Settings\User\Local Settings\Application

Data\riw8d1h877d2h634h6t1cs3o1648508sq73ldg5h36y1yi8 moved successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com\components folder

moved successfully.
C:\Program Files\OfferBox\offerboxffx@offerbox.com folder moved

successfully.
C:\Program Files\OfferBox folder moved successfully.
C:\Documents and Settings\User\Application Data\OfferBox folder moved

successfully.
========== REGISTRY ==========
Registry value

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parame

ters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WIND

OWS\hig39gahir.exe deleted successfully.
========== OTL ==========
No active process named e2e47pgfa.exe was found!
No active process named ikd.exe was found!
No active process named tukdtjsr.exe was found!
No active process named dgjasr46w.exe was found!
No active process named tukdtjsrx.exe was found!
No active process named zitui1.exe was found!
No active process named ansi70sepmod.exe was found!
No active process named hig39gahir.exe was found!
173.192.170.88 drghwaweg45j4i6u3q32fg2h.com removed from HOSTS file

successfully
Registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tukdtj

sr deleted successfully.
File C:\WINDOWS\system32\tukdtjsr.exe not found.
Registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tukdtj

srx deleted successfully.
File C:\WINDOWS\system32\tukdtjsrx.exe not found.
Registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Vbeliw

deleted successfully.
C:\WINDOWS\ifilodip.dll moved successfully.
Registry value

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ansi70s

epmod.exe not found.
File C:\Documents and Settings\User\Application

Data\0AB157276B5A9C4829482DA48061C884\ansi70sepmod.exe not found.
Registry value

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Psedara

tiqefamet not found.
C:\WINDOWS\dmocpso.dll moved successfully.
Registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*a

dslauditscan.exe not found.
Invalid CLSID key: *adslauditscan.exe
File C:\Documents and Settings\All Users\Start

Menu\Programs\adslauditscan.exe not found.
Registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex

plorer\Run\\fpact deleted successfully.
File C:\DOCUME~1\User\LOCALS~1\Temp\zitui1.exe not found.
Registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex

plorer\Run\\dyrjnsrn deleted successfully.
File C:\WINDOWS\hig39gahir.exe not found.
Registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ex

plorer\Run\\fthsjesb deleted successfully.
File C:\WINDOWS\hig39gahir.exe not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\cnet.com\download\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\download.com\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet

Settings\ZoneMap\Domains\infospyware.net\www\ not found.
Registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mou

ntPoints2\{ee52b211-336f-11df-b4fc-0015c5231e41}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee52b211-336f-

11df-b4fc-0015c5231e41}\ not found.
File E:\setupSNK.exe not found.
Registry value

HKEY_CURRENT_USER\SOFTWARE\Classes\exefile\shell\open\command\\''

updated successfully.
File "C:\Documents and Settings\User\Local Settings\Application

Data\ikd.exe" -a "%1" %* not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ deleted

successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set

successfully!
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 03212011_190510

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Tue Mar 22, 2011 11:23 am

That was a glorious massacre of malware Big Grin

How is your computer running now? You notice anything weird still?

If possible, we run another scan. We havenŽt finished yet.

This time we use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit [You must be registered and logged in to see this link.] and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Tue Mar 22, 2011 2:21 pm

Yes! It's incredible how smoothly my computer is running all of a sudden, compared to how much it was freaking out with all the pop-ups and alerts initially.

The only thing I'm noticing is a few advertisements popped up while I was using Mozilla just now but they didn't come back once I closed them.

Also, I'm encountering that same problem I had with running applications again. I tried downloading ComboFix to my desktop but that error message pops up again: "ComboFix.exe is not a valid Win32 application."

So I'll run it through my flash drive like I did with OTL. I'll post the log in a minute. BRB

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Tue Mar 22, 2011 2:46 pm

Alrighty, here's the log:

ComboFix 11-03-21.02 - User 03/22/2011 7:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.761 [GMT -7:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Application Data\Adobe\plugs
c:\windows\system32\comsats.sys
c:\windows\system32\Install.txt
c:\windows\system32\Nwsapagents.dll
c:\windows\system32\service.sys
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NWSAPAGENT
-------\Service_Nwsapagent
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-22 02:05 . 2011-03-22 02:05 147968 ----a-w- c:\windows\parsesvcstream.exe
2011-03-22 02:03 . 2011-03-22 02:03 -------- d-----w- c:\documents and settings\Administrator
2011-03-20 01:31 . 2011-03-20 01:31 -------- d--h--w- c:\windows\PIF
2011-03-20 01:11 . 2011-03-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-03-20 01:11 . 2011-03-20 01:11 -------- d-----w- c:\program files\McAfee Security Scan
2011-03-20 01:10 . 2011-03-20 01:10 -------- d-----w- c:\program files\Common Files\Java
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-20 01:04 . 2011-03-20 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-20 00:28 . 2011-03-20 00:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-20 00:19 . 2011-03-20 00:19 62496 ----a-w- c:\windows\system32\MSWINSCK.OCX
2011-03-20 00:18 . 2011-03-20 00:18 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
2011-03-20 00:14 . 2011-03-20 00:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-11 15:22 . 2011-03-11 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 02:19 . 2010-01-12 15:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 3:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qf44x5cv.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {051D3ACE-2713-4BA7-B11C-B18DE29BBB12} - c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
FF - Ext: Move Media Player: [You must be registered and logged in to see this link.] - c:\documents and settings\User\Application Data\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-22 07:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-03-22 07:45:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-22 14:44
.
Pre-Run: 60,447,039,488 bytes free
Post-Run: 61,282,521,088 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 18A9BDCD581FE54C748F070F21B6D12E

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Wed Mar 23, 2011 6:50 pm

More malware slaughtered Big Grin

WeŽre not done yet though, you still have google redirects. WeŽll take of it with a combofix script.

  • Please create a new text file in Notepad with the following contents:
    KILLALL::
    File::
    c:\windows\parsesvcstream.exe

    Folder::
    c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}

    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

    FireFox::
    FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qf44x5cv.default\
    FF - Ext: XULRunner: {051D3ACE-2713-4BA7-B11C-B18DE29BBB12} - c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply


====================

Please download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
  • Click OK to either and let MBAM proceed with the disinfection process.
  • If asked to restart the computer, please do so immediately.

Post the contents of the MBAM log in your next reply, please.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Thu Mar 24, 2011 2:37 am

I've already installed Malwarebytes--I got all paranoid and downloaded it as soon as the pop-ups went away. Hehe.

And here is the log:

ComboFix 11-03-23.04 - User 03/23/2011 19:07:37.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.667 [GMT -7:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite *Enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
FILE ::
"c:\windows\parsesvcstream.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}
c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{051D3ACE-2713-4BA7-B11C-B18DE29BBB12}\install.rdf
c:\windows\system32\tukdtjsr.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-24 to 2011-03-24 )))))))))))))))))))))))))))))))
.
.
2011-03-23 15:54 . 2011-03-23 15:54 -------- d-----w- C:\$AVG
2011-03-22 16:23 . 2011-02-02 23:04 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-03-22 16:23 . 2011-02-02 22:52 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-03-22 16:23 . 2010-09-27 22:40 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-03-22 16:22 . 2010-04-20 22:05 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-03-22 16:22 . 2011-03-24 01:49 -------- d-----w- c:\windows\system32\Filt
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\documents and settings\User\Application Data\Agnitum
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\program files\Agnitum
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2011-03-22 16:21 . 2011-03-22 16:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-03-22 16:20 . 2011-03-22 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-22 16:20 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-22 16:20 . 2011-03-22 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-22 16:20 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 16:19 . 2011-03-22 16:19 -------- d-----w- c:\documents and settings\User\Application Data\AVG10
2011-03-22 15:42 . 2011-03-22 15:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-22 15:40 . 2011-03-24 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-22 15:31 . 2011-03-22 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 15:28 . 2011-03-22 16:30 -------- d-----w- c:\windows\SxsCaPendDel
2011-03-22 02:03 . 2011-03-22 02:03 -------- d-----w- c:\documents and settings\Administrator
2011-03-20 01:31 . 2011-03-20 01:31 -------- d--h--w- c:\windows\PIF
2011-03-20 01:10 . 2011-03-20 01:10 -------- d-----w- c:\program files\Common Files\Java
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-20 01:04 . 2011-03-20 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-20 00:28 . 2011-03-20 00:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-20 00:19 . 2011-03-20 00:19 62496 ----a-w- c:\windows\system32\MSWINSCK.OCX
2011-03-20 00:14 . 2011-03-20 00:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-11 15:22 . 2011-03-11 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 02:19 . 2010-01-12 15:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 07:02 . 2009-07-12 07:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2007-11-07 09:19 . 2007-11-07 09:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 13:07 . 2008-07-29 13:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2011-03-24 02:28 . 2011-03-24 02:28 16384 c:\windows\temp\Perflib_Perfdata_5d0.dat
+ 2010-01-12 15:25 . 2011-03-24 01:40 17882 c:\windows\system32\nvModes.dat
- 2010-01-12 15:25 . 2010-05-31 16:42 17882 c:\windows\system32\nvModes.dat
+ 2011-03-22 16:23 . 2011-02-02 22:51 36288 c:\windows\system32\Filt\VBFilt.dll
+ 2011-03-22 16:23 . 2011-02-02 22:51 72352 c:\windows\system32\Filt\ASWFilt.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 07:05 . 2009-07-12 07:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 10:54 . 2008-07-29 10:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2011-03-22 16:23 . 2010-11-06 02:21 971072 c:\windows\system32\Filt\vbcorent.sys
+ 2011-03-22 16:23 . 2011-03-22 16:23 228352 c:\windows\Installer\5d1116.msi
+ 2011-03-22 15:40 . 2011-03-22 15:40 219648 c:\windows\Installer\2131eb.msi
+ 2009-07-12 07:02 . 2009-07-12 07:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 07:02 . 2009-07-12 07:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 15:05 . 2008-07-29 15:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2011-03-22 16:23 . 2010-10-19 22:19 1141408 c:\windows\system32\Filt\vbcorent.dll
+ 2011-03-22 15:42 . 2011-03-22 15:42 3277312 c:\windows\Installer\2131f3.msi
+ 2011-03-22 15:40 . 2011-03-22 15:40 1611776 c:\windows\Installer\2131ef.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-02-07 21:14 468128 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-02-07 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-02-07 517056]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2011-1-26 23361424]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [3/22/2011 9:23 AM 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [3/22/2011 9:22 AM 2072592]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [3/22/2011 9:22 AM 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [3/22/2011 9:23 AM 267624]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [3/22/2011 9:23 AM 72352]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 3:00 AM 14336]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [3/22/2011 9:23 AM 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [3/22/2011 9:23 AM 36288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qf44x5cv.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-23 19:28
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1540)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-03-23 19:33:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-24 02:31
ComboFix2.txt 2011-03-22 14:45
.
Pre-Run: 60,612,014,080 bytes free
Post-Run: 60,624,457,728 bytes free
.
- - End Of File - - 654ED40D00CFB31B8F8862F0A6788A7B

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Thu Mar 24, 2011 7:47 am

Almost there. Still would like to see a mbam log.

Please open Malwarebytes Anti Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Thu Mar 24, 2011 3:27 pm

Oh darn! It says I have 6 injected objects. =(

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6153

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/24/2011 8:26:38 AM
mbam-log-2011-03-24 (08-26-33).txt

Scan type: Quick scan
Objects scanned: 146366
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\MSWinsock.Winsock.1 (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\MSWinsock.Winsock (Worm.Nyxem) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Fri Mar 25, 2011 1:10 pm

Moar infections. WeŽll get rid of it with Combofix.

  • Please create a new text file in Notepad with the following contents:
    KILLALL::

    File::
    c:\WINDOWS\system32\MSWINSCK.OCX

    Registry::
    [-HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
    [-HKEY_CLASSES_ROOT\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}]
    [-HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
    [-HKEY_CLASSES_ROOT\MSWinsock.Winsock.1]
    [-HKEY_CLASSES_ROOT\MSWinsock.Winsock]
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply


====================

This combofix script will delete the infected file (mswinsck.ocx). However, it is a legit file and you might need it.
So you need to download a clean copy of it, which you can do from [You must be registered and logged in to see this link.].
After downloading mswinsck.ocx, copy it to the following folder: c:\WINDOWS\system32

After copying the file into the system32 folder, we will need to register the new file in the following way:

Open Notepad and create a file with the following contents:

regsvr32 c:\windows\system32\mswinsck.ocx
  • Save it as "register.bat" (include the quotes) on your desktop.
  • Double click it to run. A black DOS windows will open and close - this is normal.
  • If this went well, delete register.bat and restart your computer.


====================

Since you have been suffering from various different infections, we run another scanner, this time with ESET Online Scanner.
Please make sure you are logged in as a user with administrator rights and proceed with the following steps:

  • Use Internet Explorer to browse to the [You must be registered and logged in to see this link.]
  • Click the green ESET Online Scanner button
  • A popup window will open
  • Accept the terms of use and click Start
  • Internet Explorer probably informs you that ESET tries to install an add-on. Allow that.
  • UNSELECT the Remove all threats option.
  • Click Start
  • When the scan has finished and threats were found, click List of found threats
  • Click Export to text file and save it as e.g. eset.txt on your desktop
  • Click Back
  • Select Uninstall application on close
  • Click Finish. ESET Online Scanner will now uninstall itself
  • Please post the contents of the eset.txt in your next reply.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Fri Mar 25, 2011 4:57 pm

These darn infections just don't end! @___@;;

Here's the ComboFix log:

ComboFix 11-03-24.06 - User 03/25/2011 9:03.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.639 [GMT -7:00]
Running from: E:\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Outpost Security Suite *Enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
FILE ::
"c:\windows\system32\MSWINSCK.OCX"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\MSWINSCK.OCX
.
.
((((((((((((((((((((((((( Files Created from 2011-02-25 to 2011-03-25 )))))))))))))))))))))))))))))))
.
.
2011-03-23 15:54 . 2011-03-23 15:54 -------- d-----w- C:\$AVG
2011-03-22 16:23 . 2011-02-02 23:04 242040 ----a-w- c:\windows\system32\drivers\VBEngNT.sys
2011-03-22 16:23 . 2011-02-02 22:52 710824 ----a-w- c:\windows\system32\drivers\SandBox.sys
2011-03-22 16:23 . 2010-09-27 22:40 267624 ----a-w- c:\windows\system32\drivers\afwcore.sys
2011-03-22 16:22 . 2010-04-20 22:05 34280 ----a-w- c:\windows\system32\drivers\afw.sys
2011-03-22 16:22 . 2011-03-25 02:05 -------- d-----w- c:\windows\system32\Filt
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\documents and settings\User\Application Data\Agnitum
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\program files\Agnitum
2011-03-22 16:22 . 2011-03-22 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2011-03-22 16:21 . 2011-03-22 16:21 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-03-22 16:20 . 2011-03-22 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-22 16:20 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-22 16:20 . 2011-03-22 16:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-22 16:20 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 16:19 . 2011-03-22 16:19 -------- d-----w- c:\documents and settings\User\Application Data\AVG10
2011-03-22 15:42 . 2011-03-22 15:42 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-03-22 15:40 . 2011-03-24 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-03-22 15:31 . 2011-03-22 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-22 15:28 . 2011-03-22 16:30 -------- d-----w- c:\windows\SxsCaPendDel
2011-03-22 02:03 . 2011-03-22 02:03 -------- d-----w- c:\documents and settings\Administrator
2011-03-20 01:31 . 2011-03-20 01:31 -------- d--h--w- c:\windows\PIF
2011-03-20 01:10 . 2011-03-20 01:10 -------- d-----w- c:\program files\Common Files\Java
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-20 01:10 . 2011-02-03 04:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-20 01:04 . 2011-03-20 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-03-20 00:28 . 2011-03-20 00:28 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-03-20 00:14 . 2011-03-20 00:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-11 15:22 . 2011-03-11 15:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 02:19 . 2010-01-12 15:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-24_02.29.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-25 16:09 . 2011-03-25 16:09 16384 c:\windows\temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Outpost]
@="{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
[HKEY_CLASSES_ROOT\CLSID\{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}]
2011-02-07 21:14 468128 ----a-w- c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVHotkey"="nvHotkey.dll" [2006-05-01 73728]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2011-02-07 3107736]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Security Suite Free\feedback.exe" [2011-02-07 517056]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\User\Application Data\Dropbox\bin\Dropbox.exe [2011-1-26 23361424]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 22:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [3/22/2011 9:23 AM 710824]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [3/22/2011 9:22 AM 2072592]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [3/22/2011 9:22 AM 34280]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [3/22/2011 9:23 AM 267624]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [3/22/2011 9:23 AM 72352]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 3:00 AM 14336]
S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [3/22/2011 9:23 AM 242040]
S3 VBFilt;VBFilt;c:\windows\system32\Filt\VBFilt.dll [3/22/2011 9:23 AM 36288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\qf44x5cv.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-25 09:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1476)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\documents and settings\User\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Agnitum\Outpost Security Suite Free\op_shell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2011-03-25 09:12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-25 16:12
ComboFix2.txt 2011-03-24 02:33
ComboFix3.txt 2011-03-22 14:45
.
Pre-Run: 60,578,893,824 bytes free
Post-Run: 60,569,460,736 bytes free
.
- - End Of File - - 5E53626F11873969A6E67E48777BD339


And the Eset Scan log:

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\12\4604e10c-20472e7a Java/TrojanDownloader.OpenStream.NBL trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Nwsapagents.dll.vir Win32/Agent.OLC trojan
C:\System Volume Information\_restore{44058384-97B5-4CC1-AECB-820BE2EA7A4D}\RP162\A0021389.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{44058384-97B5-4CC1-AECB-820BE2EA7A4D}\RP162\A0021399.dll a variant of Win32/Kryptik.KNA trojan
C:\System Volume Information\_restore{44058384-97B5-4CC1-AECB-820BE2EA7A4D}\RP168\A0022349.exe a variant of Win32/Kryptik.LXY trojan

Thanks again SOOOO much for your help! You've been awesome!!

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Sat Mar 26, 2011 10:01 pm

[You must be registered and logged in to see this link.] wrote:These darn infections just don't end! @___@;;
Yes they do Smile

Almost finished. You computer is clean of active malware, but we need to eliminate it with root and twig.
First: it appears you have the correct version of java (update 24) installed, but also an older version (update 17). These are unsafe.

  • Go to Start > Control Panel
  • Double-click on Add or Remove Programs
  • Look for entries that say Java, Java RunTime Environment or J2SE.
  • Uninstall all of them that are not named Java (TM) 6 Update 24


After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache. ESET found something in your Java cache, this will get rid of it.

====================
Time to uninstall used tools.
  • Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.



====================

Some of the malware we got rid of is still hidden in Windows system restore.
To make sure it never comes back, we need to make a new restore point and delete the old ones.

To turn off System Restore and delete old System Restore points, follow these steps:
  • Click Start, right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
  • Click Yes when you receive the prompt to turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
  • Click Start, right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Click the Turn off System Restore check box (to turn it back on), and then click OK.


====================

After doing all that I can officially declare that your computer is CLEAN.



====================

Allright! Now that we have you cleaned, weŽve got to make sure you stay clean.
Let me provide you with some recommendations:

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit [You must be registered and logged in to see this link.]. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware canŽt touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:
  • [You must be registered and logged in to see this link.]. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
  • [You must be registered and logged in to see this link.]. 100 million users canŽt be wrong. If you want high detection rates, this is your best free bet.
  • [You must be registered and logged in to see this link.] is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:
  • [You must be registered and logged in to see this link.]. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
  • [You must be registered and logged in to see this link.]. A very smart and user friendly firewall.
  • [You must be registered and logged in to see this link.] is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:
  • Stay away from cracks and keygens (look [You must be registered and logged in to see this link.] for the why). Get free software instead. [You must be registered and logged in to see this link.] is an excellent source of freeware reviews.
  • Navigate safely. [You must be registered and logged in to see this link.] is the safest browser available. However, Mozilla Firefox can be made extremely safe with the [You must be registered and logged in to see this link.] addon. Internet Explorer (always use [You must be registered and logged in to see this link.]) can be made a lot safer with [You must be registered and logged in to see this link.] (manual [You must be registered and logged in to see this link.]).
  • The [You must be registered and logged in to see this link.] addon will help you to stay on reliable webpages.
  • [You must be registered and logged in to see this link.] alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
  • Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? [You must be registered and logged in to see this link.]!

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by mooglechan on Sun Mar 27, 2011 2:25 am

Gabethebabe, you are undoubtedly a ROCKSTAR. Thank you SOOOO SOOOOOO SOOOOOOOOO much for patiently helping me through this crisis! I will definitely heed your advice and work hard to keep my computer as safe as I possibly can!! Thank you again!!!! Big Grin Big Grin Big Grin

♥♥♥MoogleChan *runs off to donate to GeekPolice*

mooglechan
Novice
Novice

Posts Posts : 49
Joined Joined : 2009-12-21
OS OS : Windows Vista
Points Points : 26030
# Likes # Likes : 0

View user profile

Back to top Go down

Re: OTL not working

Post by Gabethebabe on Sun Mar 27, 2011 7:24 am

[You must be registered and logged in to see this link.] wrote:runs off to donate to GeekPolice*
Thanks Smile

Good luck!

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38208
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum