Internet Explorer Script Error and ui.mevio.com virus??

**furyofdawolfx** · **furyofdawolfx** on 19th April 2011, 3:13 pm

Hello everyone,

I recently got the windows recovery virus but managed to clean it up manually (in my dell inspiron laptop). I thought everything was safe, but an "Internet Explorer Script Error" keeps popping up saying that "an error has occurred in the script on this page." and gives the URL: http://ui.mevio.com/static/js/combined/index.js?r=38360 and other random mevio links, like ww.mevio.com/channels/.....

Also, when I go to certain websites (like this one), I am directed to other websites. I did a scan with malwarebytes recently and managed to detect and ret rid of a few things. As of right now, Malwarebytes and Spybot does not detect anything. Here are my logs:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:32:16 AM, on 4/19/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\rundll32.exe
C:\WINDOWS2\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS2\OEM02Mon.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
From Jijack this:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://doom9.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS2\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS2\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS2\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS2\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS2\OEM02Mon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DLADiag] C:\WINDOWS2\DLADiag.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS2\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS2\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\system32\nvsvc32.exe
O23 - Service: Windows Presentation Foundation Font Cache 4.0.0.0 (WPFFontCache_v0400) - Unknown owner - C:\WINDOWS2\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (file missing)

--
End of file - 6556 bytes

and just in case you want to see it, here are my logs from Malwarebytes earlier when I was able to detect infected areas:
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/17/2011 7:30:07 PM
mbam-log-2011-04-17 (19-30-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 255238
Time elapsed: 2 hour(s), 35 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

4/19/2011 12:24:16 AM
mbam-log-2011-04-19 (00-24-16).txt

Scan type: Quick scan
Objects scanned: 152783
Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\antonio\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\antonio\Local Settings\Temp\ip5uen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\antonio\Local Settings\Temp\ffbkr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\antonio\Local Settings\Temp\a8g19648.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Thanks

**furyofdawolfx** · **furyofdawolfx** on 19th April 2011, 3:14 pm

the link I am redirected to when going to GeekPolice is "autoelectric.us/

**Belahzur** · **Belahzur** on 19th April 2011, 7:56 pm

Hello.

Download OTL by OldTimer to your Desktop.

Close all windows and double click OTL.exe
Click Run Scan and let the program run uninterrupted
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

**furyofdawolfx** · **furyofdawolfx** on 19th April 2011, 8:44 pm

OTL logfile created on: 4/19/2011 4:10:30 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 642.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS2 | %ProgramFiles% = C:\Program Files
Drive C: | 105.97 Gb Total Space | 13.41 Gb Free Space | 12.66% Space Free | Partition Type: NTFS

Computer Name: ANTONIO-LAPTOP | User Name: Antonio | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/19 16:08:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\OTL.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007/07/03 14:57:38 | 001,228,800 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2007/05/10 10:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/05/10 01:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS2\OEM02Mon.exe
PRC - [2007/04/16 16:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2004/08/03 18:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS2\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/04/19 16:08:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\OTL.exe
MOD - [2004/08/03 18:57:02 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS2\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (WPFFontCache_v0400)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)

========== Driver Services (SafeList) ==========

DRV - [2007/10/11 01:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/08/12 20:05:34 | 002,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2007/07/16 22:26:46 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/07/16 22:26:46 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/07/16 22:26:46 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/07/10 16:22:22 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS2\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/10 16:22:20 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS2\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/07/10 16:22:18 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS2\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/06/08 01:00:02 | 000,141,376 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\OEM02Afx.sys -- (OEM02Afx)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/03/05 18:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2006/11/21 04:25:44 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS2\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/08/18 15:17:40 | 000,033,592 | ---- | M] (Roxio) [File_System | System | Stopped] -- C:\WINDOWS2\system32\drivers\DLADHK_M.SYS -- (DLADHK_M)
DRV - [2006/08/11 12:35:20 | 000,013,688 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS2\system32\drivers\DLADiagM.SYS -- (DLADiagM)
DRV - [2006/08/11 12:35:18 | 000,030,744 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS2\system32\drivers\DLAPMonM.SYS -- (DLAPMonM)
DRV - [2006/08/11 12:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS2\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS2\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2001/07/13 13:56:14 | 000,014,976 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS2\system32\drivers\SBKUPNT.SYS -- (SBKUPNT)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS2\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS2\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[2011/04/19 00:24:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS2\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DLADiag] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS2\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS2\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS2\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS2\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS2\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS2\System32\nwiz.exe ()
O4 - HKLM..\Run: [OEM02Mon.exe] C:\WINDOWS2\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS2\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS2\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Value error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS2\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/03 18:56:48 | 000,588,800 | RH-- | M] (Microsoft Corporation) - C:\AUTOCHK.EXE -- [ NTFS ]
O32 - AutoRun File - [2004/08/03 18:56:48 | 000,188,711 | RH-- | M] () - C:\AUTOCONV.EX_ -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 08:00:00 | 000,029,413 | RH-- | M] () - C:\AUTODISC.DL_ -- [ NTFS ]
O32 - AutoRun File - [2004/08/10 15:04:08 | 000,000,000 | RH-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 08:00:00 | 000,000,860 | RH-- | M] () - C:\AUTOEXEC.NT_ -- [ NTFS ]
O32 - AutoRun File - [2004/08/03 18:56:48 | 000,580,608 | RH-- | M] (Microsoft Corporation) - C:\AUTOFMT.EXE -- [ NTFS ]
O32 - AutoRun File - [2004/08/03 18:56:48 | 000,005,630 | RH-- | M] () - C:\AUTOLFN.EX_ -- [ NTFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/19 16:09:51 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\OTL.exe
[2011/04/18 02:37:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Recent
[2011/04/17 21:15:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Application Data\U3
[3 C:\WINDOWS2\*.tmp files -> C:\WINDOWS2\*.tmp -> ]
[1 C:\WINDOWS2\System32\*.tmp files -> C:\WINDOWS2\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/19 16:11:04 | 000,392,332 | ---- | M] () -- C:\WINDOWS2\System32\perfh009.dat
[2011/04/19 16:11:04 | 000,058,866 | ---- | M] () -- C:\WINDOWS2\System32\perfc009.dat
[2011/04/19 16:09:50 | 000,028,029 | ---- | M] () -- C:\WINDOWS2\System32\nvModes.001
[2011/04/19 16:08:24 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\OTL.exe
[2011/04/19 16:06:27 | 000,169,472 | ---- | M] () -- C:\WINDOWS2\System32\nvapps.xml
[2011/04/19 16:06:25 | 000,000,884 | ---- | M] () -- C:\WINDOWS2\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/19 16:06:22 | 000,002,048 | ---- | M] () -- C:\WINDOWS2\bootstat.dat
[2011/04/19 13:48:05 | 000,000,888 | ---- | M] () -- C:\WINDOWS2\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/19 13:31:01 | 000,001,406 | -HS- | M] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/19 13:31:01 | 000,001,406 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/19 10:32:03 | 000,002,475 | ---- | M] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\HiJackThis.lnk
[2011/04/18 23:55:47 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS2\Desktop\Adobe Reader X.lnk
[2011/04/18 21:12:35 | 000,000,405 | RH-- | M] () -- C:\boot.ini
[2011/04/17 21:12:22 | 001,006,778 | ---- | M] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\iExplore.exe
[2011/04/17 16:47:22 | 000,000,328 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\18145076
[2011/04/17 02:41:56 | 000,159,744 | ---- | M] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/14 20:07:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS2\System32\wpa.dbl
[2011/04/03 23:08:49 | 000,002,139 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS2\Desktop\iTunes.lnk
[3 C:\WINDOWS2\*.tmp files -> C:\WINDOWS2\*.tmp -> ]
[1 C:\WINDOWS2\System32\*.tmp files -> C:\WINDOWS2\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/19 13:30:54 | 000,001,406 | -HS- | C] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/19 13:30:54 | 000,001,406 | -HS- | C] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/17 21:17:35 | 001,006,778 | ---- | C] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop\iExplore.exe
[2011/04/17 16:47:22 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\18145076
[2010/10/17 01:05:33 | 000,014,976 | ---- | C] () -- C:\WINDOWS2\System32\drivers\SBKUPNT.SYS
[2010/10/17 01:05:33 | 000,013,312 | ---- | C] () -- C:\WINDOWS2\System32\DEVLOAD.EXE
[2010/10/17 01:05:31 | 000,000,543 | ---- | C] () -- C:\WINDOWS2\SWISV3.INI
[2010/10/17 01:05:20 | 000,000,288 | ---- | C] () -- C:\WINDOWS2\SKNIFE.INI
[2010/10/17 01:04:45 | 000,002,799 | ---- | C] () -- C:\WINDOWS2\SKLANG.INI
[2010/10/03 00:07:04 | 000,000,042 | ---- | C] () -- C:\WINDOWS2\wininit.ini
[2010/10/02 23:57:23 | 000,198,144 | ---- | C] () -- C:\WINDOWS2\System32\_psisdecd.dll
[2010/10/02 14:47:05 | 000,000,076 | ---- | C] () -- C:\WINDOWS2\CT4CET.bin
[2010/09/28 19:58:52 | 000,001,917 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\LUInstall.LiveUpdate
[2010/09/26 19:28:10 | 000,000,379 | ---- | C] () -- C:\WINDOWS2\ODBC.INI
[2010/09/26 10:43:09 | 000,159,744 | ---- | C] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/26 10:11:30 | 000,028,029 | ---- | C] () -- C:\WINDOWS2\System32\nvModes.dat
[2010/09/26 09:51:40 | 001,626,112 | ---- | C] () -- C:\WINDOWS2\System32\nwiz.exe
[2010/09/26 09:51:39 | 001,703,936 | ---- | C] () -- C:\WINDOWS2\System32\nvwdmcpl.dll
[2010/09/26 09:51:39 | 001,019,904 | ---- | C] () -- C:\WINDOWS2\System32\nvwimg.dll
[2010/09/26 09:51:37 | 000,466,944 | ---- | C] () -- C:\WINDOWS2\System32\nvshell.dll
[2010/09/26 09:51:35 | 001,482,752 | ---- | C] () -- C:\WINDOWS2\System32\nview.dll
[2010/09/26 09:51:34 | 001,339,392 | ---- | C] () -- C:\WINDOWS2\System32\nvdspsch.exe
[2010/09/26 09:51:28 | 000,442,368 | ---- | C] () -- C:\WINDOWS2\System32\nvappbar.exe
[2010/09/26 09:51:26 | 000,425,984 | ---- | C] () -- C:\WINDOWS2\System32\keystone.exe
[2010/09/19 22:47:22 | 000,002,048 | ---- | C] () -- C:\WINDOWS2\bootstat.dat
[2010/09/19 22:20:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS2\System32\emptyregdb.dat
[2010/09/19 16:30:26 | 000,004,205 | ---- | C] () -- C:\WINDOWS2\ODBCINST.INI
[2010/09/19 16:26:57 | 000,244,720 | ---- | C] () -- C:\WINDOWS2\System32\FNTCACHE.DAT
[2010/05/24 15:33:00 | 001,529,856 | ---- | C] () -- C:\WINDOWS2\System32\ff_samplerate.dll
[2010/05/24 15:33:00 | 001,447,921 | ---- | C] () -- C:\WINDOWS2\System32\ffmpegmt.dll
[2010/05/24 15:33:00 | 000,810,113 | ---- | C] () -- C:\WINDOWS2\System32\xvidcore.dll
[2010/05/24 15:33:00 | 000,336,384 | ---- | C] () -- C:\WINDOWS2\System32\ff_libfaad2.dll
[2010/05/24 15:33:00 | 000,324,096 | ---- | C] () -- C:\WINDOWS2\System32\TomsMoComp_ff.dll
[2010/05/24 15:33:00 | 000,248,320 | ---- | C] () -- C:\WINDOWS2\System32\ff_kernelDeint.dll
[2010/05/24 15:33:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS2\System32\ff_libdts.dll
[2010/05/24 15:33:00 | 000,151,552 | ---- | C] () -- C:\WINDOWS2\System32\ff_libmad.dll
[2010/05/24 15:33:00 | 000,145,408 | ---- | C] () -- C:\WINDOWS2\System32\libmpeg2_ff.dll
[2010/05/24 15:33:00 | 000,121,856 | ---- | C] () -- C:\WINDOWS2\System32\ff_liba52.dll
[2010/05/24 15:33:00 | 000,116,736 | ---- | C] () -- C:\WINDOWS2\System32\ff_tremor.dll
[2010/05/24 15:33:00 | 000,097,792 | ---- | C] () -- C:\WINDOWS2\System32\ff_unrar.dll
[2010/05/19 16:59:20 | 000,150,528 | ---- | C] () -- C:\WINDOWS2\System32\mkx.dll
[2010/05/19 16:59:10 | 000,109,568 | ---- | C] () -- C:\WINDOWS2\System32\avi.dll
[2010/05/19 16:59:02 | 000,141,824 | ---- | C] () -- C:\WINDOWS2\System32\mp4.dll
[2010/05/19 16:58:52 | 000,123,392 | ---- | C] () -- C:\WINDOWS2\System32\ogm.dll
[2010/05/19 16:58:24 | 000,113,152 | ---- | C] () -- C:\WINDOWS2\System32\dsmux.exe
[2010/05/19 16:58:18 | 000,154,112 | ---- | C] () -- C:\WINDOWS2\System32\ts.dll
[2010/05/19 16:58:08 | 000,249,856 | ---- | C] () -- C:\WINDOWS2\System32\dxr.dll
[2010/05/19 16:57:42 | 000,097,792 | ---- | C] () -- C:\WINDOWS2\System32\avs.dll
[2010/05/19 16:57:38 | 000,137,728 | ---- | C] () -- C:\WINDOWS2\System32\mkv2vfr.exe
[2010/05/19 16:57:26 | 000,093,184 | ---- | C] () -- C:\WINDOWS2\System32\avss.dll
[2010/05/19 16:57:20 | 000,358,400 | ---- | C] () -- C:\WINDOWS2\System32\gdsmux.exe
[2010/05/19 16:55:40 | 000,080,384 | ---- | C] () -- C:\WINDOWS2\System32\mkzlib.dll
[2010/05/19 16:55:36 | 000,024,576 | ---- | C] () -- C:\WINDOWS2\System32\mkunicode.dll
[2009/08/11 17:21:26 | 000,087,552 | ---- | C] () -- C:\WINDOWS2\System32\ac3config.exe
[2009/06/07 12:24:04 | 000,180,224 | ---- | C] () -- C:\WINDOWS2\System32\xvidvfw.dll
[2009/01/10 18:15:44 | 000,159,744 | ---- | C] () -- C:\WINDOWS2\System32\mmfinfo.dll
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS2\System32\qt-dx331.dll
[2007/12/20 03:16:30 | 000,016,480 | ---- | C] () -- C:\WINDOWS2\System32\rixdicon.dll
[2007/10/13 05:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS2\System32\Registration.ini
[2006/11/02 12:10:16 | 000,080,912 | ---- | C] () -- C:\WINDOWS2\System32\sherlock2.exe
[2004/08/03 19:07:22 | 000,001,788 | ---- | C] () -- C:\WINDOWS2\System32\Dcache.bin
[2004/08/02 08:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS2\System32\secupd.dat
[2004/07/17 05:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS2\System32\drivers\secdrv.sys
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS2\System32\OUTLPERF.INI
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS2\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS2\System32\mlang.dat
[2001/08/23 08:00:00 | 000,392,332 | ---- | C] () -- C:\WINDOWS2\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS2\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS2\System32\dssec.dat
[2001/08/23 08:00:00 | 000,058,866 | ---- | C] () -- C:\WINDOWS2\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS2\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS2\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS2\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS2\System32\noise.dat

< End of report >

**furyofdawolfx** · **furyofdawolfx** on 19th April 2011, 8:44 pm

OTL Extras logfile created on: 4/19/2011 4:10:30 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 642.00 Mb Available Physical Memory | 63.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS2 | %ProgramFiles% = C:\Program Files
Drive C: | 105.97 Gb Total Space | 13.41 Gb Free Space | 12.66% Space Free | Partition Type: NTFS

Computer Name: ANTONIO-LAPTOP | User Name: Antonio | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- (FrostWire Group)
"C:\Program Files\Dell\MediaDirect\PCMService.exe" = C:\Program Files\Dell\MediaDirect\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 23
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"CompuApps SwissKnife V3" = CompuApps SwissKnife V3
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"FrostWire" = FrostWire 4.21.1
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Media Player - Codec Pack" = Media Player Codec Pack 3.9.6
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"NVIDIA Drivers" = NVIDIA Drivers
"WIC" = Windows Imaging Component
"wxdevcpp" = wxDev-C++ Web-based Installer
"XP Codec Pack" = XP Codec Pack
"Xvid_is1" = Xvid 1.2.1 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/1/2011 10:39:15 PM | Computer Name = ANTONIO-LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/5/2011 12:13:15 AM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = 224: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/9/2011 1:06:05 PM | Computer Name = ANTONIO-LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10k.ocx, version 10.1.85.3, fault address 0x000e5652.

Error - 1/9/2011 11:16:20 PM | Computer Name = ANTONIO-LAPTOP | Source = Application Error | ID = 1000
Description = Faulting application winword.exe, version 11.0.5604.0, faulting module
winword.exe, version 11.0.5604.0, fault address 0x001951a9.

Error - 1/13/2011 1:39:21 PM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = 240: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/14/2011 12:57:09 AM | Computer Name = ANTONIO-LAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/14/2011 12:57:28 AM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = 244: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/17/2011 12:52:33 AM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = 244: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/21/2011 9:25:25 PM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Received from 192.168.0.21:5353 25 21.0.168.192.in-addr.arpa.
PTR Jerrick-Es-iPhone.local.

Error - 1/21/2011 9:25:25 PM | Computer Name = ANTONIO-LAPTOP | Source = Bonjour Service | ID = 100
Description = mDNSCoreReceiveResponse: Unexpected conflict discarding 22 21.0.168.192.in-addr.arpa.
PTR antonio-laptop.local.

[ System Events ]
Error - 4/18/2011 2:44:52 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 2:45:16 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 2:47:53 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 2:48:43 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 2:50:46 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 2:50:52 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 3:13:58 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 3:14:52 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/18/2011 3:21:10 AM | Computer Name = ANTONIO-LAPTOP | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 4/19/2011 4:11:36 PM | Computer Name = ANTONIO-LAPTOP | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

< End of report >

**Belahzur** · **Belahzur** on 20th April 2011, 9:37 pm

Hello.

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
[2011/04/19 13:30:54 | 000,001,406 | -HS- | C] () -- C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/19 13:30:54 | 000,001,406 | -HS- | C] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
[2011/04/17 16:47:22 | 000,000,328 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS2\Application Data\18145076

:commands
[emptytemp]
[reboot]
Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

**furyofdawolfx** · **furyofdawolfx** on 21st April 2011, 1:23 am

All processes killed
========== OTL ==========
C:\Documents and Settings\Antonio.ANTONIO-LAPTOP\Local Settings\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv moved successfully.
C:\Documents and Settings\All Users.WINDOWS2\Application Data\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv moved successfully.
C:\Documents and Settings\All Users.WINDOWS2\Application Data\18145076 moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS2

User: antonio
->Temp folder emptied: 280365030 bytes
->Temporary Internet Files folder emptied: 17101270 bytes
->Java cache emptied: 4719087 bytes
->Flash cache emptied: 467316 bytes

User: Antonio.ANTONIO-LAPTOP
->Temp folder emptied: 409486 bytes
->Temporary Internet Files folder emptied: 57509628 bytes
->Java cache emptied: 950123 bytes
->Flash cache emptied: 206397 bytes

User: ANTONI~1~ANT

User: Default User
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56504 bytes

User: Default User.WINDOWS2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 10405076 bytes
->Flash cache emptied: 861 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 38888184 bytes
->Flash cache emptied: 3811 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 394.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04202011_210758

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Also, a notepad document keeps popping out with this:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Initially 2 of them came poped out but I was able to get rid of 1 by following instructions from this link: http://support.microsoft.com/kb/330132
Hope I can get rid of this.

**furyofdawolfx** · **furyofdawolfx** on 21st April 2011, 2:24 am

not sure if the last message was sent, but I got rid of the:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

but going to websites like this (with malware removal guides)in my laptop, still redirects me to other websites like flores.com or something random.

**Belahzur** · **Belahzur** on 21st April 2011, 7:45 pm

Hello.

Download combofix from here
Link 1

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**furyofdawolfx** · **furyofdawolfx** on 22nd April 2011, 3:37 am

ComboFix 11-04-21.02 - Antonio 04/21/2011 23:20:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.777 [GMT -4:00]
Running from: c:\documents and settings\Antonio.ANTONIO-LAPTOP\Desktop\Combo-Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\invokesi.exe
c:\documents and settings\Antonio.ANTONIO-LAPTOP\Desktop\Internet Explorer.lnk
c:\documents and settings\Antonio.ANTONIO-LAPTOP\Templates\a27kergolj662qtpkf4m1urlv21e5m4i5l4ibv
C:\hosts
.
Infected copy of c:\windows2\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-21 01:07 . 2011-04-21 01:07 -------- d-----w- C:\_OTL
2011-04-18 01:15 . 2011-04-18 01:16 -------- d-----w- c:\documents and settings\Antonio.ANTONIO-LAPTOP\Application Data\U3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 08:00 . 2007-05-24 13:03 17920 c:\dell\E-Center\bak\EULALauncher.exe
.
2007-05-11 09:06 . 2007-05-11 09:06 40048 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
2010-06-17 06:24 . 2010-06-17 06:24 40368 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
2006-10-03 17:37 . 2006-10-03 17:37 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2006-10-03 17:35 . 2006-10-03 17:35 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
.
2003-09-14 02:36 . 2003-09-14 02:36 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
.
2006-11-05 17:22 . 2006-11-05 17:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\bak\RoxWatchTray9.exe
.
2007-12-20 07:45 . 2007-07-27 22:43 118784 c:\program files\Dell\Dell Webcam Manager\bak\DellWMgr.exe
2010-10-02 18:45 . 2007-07-27 20:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe
.
2007-12-20 07:56 . 2007-04-16 22:10 184320 c:\program files\Dell\MediaDirect\bak\PCMService.exe
2010-10-03 03:56 . 2007-04-16 20:10 184320 c:\program files\Dell\MediaDirect\PCMService.exe
.
2007-12-20 07:43 . 2007-07-03 19:57 1228800 c:\program files\Dell\QuickSet\bak\quickset.exe
2010-03-10 18:13 . 2007-07-03 18:57 1228800 c:\program files\Dell\QuickSet\quickset.exe
.
2007-10-10 00:56 . 2007-10-10 00:56 202544 c:\program files\Dell Support Center\bin\bak\sprtcmd.exe
2009-05-21 14:55 . 2009-05-21 14:55 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe
.
2007-10-10 00:57 . 2007-10-10 00:57 16384 c:\program files\Dell Support Center\gs_agent\custom\bak\dsca.exe
.
2007-12-20 08:00 . 2007-12-20 08:00 1838592 c:\program files\Google\Google Desktop Search\bak\GoogleDesktop.exe
.
2007-07-25 22:30 . 2007-07-25 22:30 974848 c:\program files\Intel\Wireless\Bin\bak\ifrmewrk.exe
.
2007-07-25 22:32 . 2007-07-25 22:32 823296 c:\program files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
.
2006-08-17 15:00 . 2006-08-17 15:00 1116920 c:\program files\Roxio\Drag-to-Disc\bak\DrgToDsc.exe
.
2007-12-20 07:16 . 2007-07-10 04:21 851968 c:\program files\Synaptics\SynTP\bak\SynTPEnh.exe
.
2007-11-09 01:18 . 2006-11-21 19:02 1807960 c:\program files\Trend Micro\Internet Security 14\bak\pccguide.exe
.
2008-01-26 05:38 . 2007-08-30 22:43 4670704 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
2008-03-02 04:15 . 2007-08-30 22:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
2007-12-20 07:17 . 2007-08-28 20:54 36864 c:\windows\bak\OEM02Mon.exe
.
2004-08-10 18:51 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 18:51 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2006-11-02 20:05 . 2006-11-02 20:05 282624 c:\windows\system32\bak\KADxMain.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="nvHotkey.dll" [2008-02-22 86016]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2008-02-22 13508608]
"nwiz"="nwiz.exe" [2008-02-22 1626112]
"NvMediaCenter"="c:\windows2\system32\NvMcTray.dll" [2008-02-22 86016]
"SigmatelSysTrayApp"="%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe" [N/A]
"IMJPMIG8.1"="c:\windows2\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows2\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows2\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows2\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"OEM02Mon.exe"="c:\windows2\OEM02Mon.exe" [2007-05-10 36864]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"DLADiag"="c:\windows2\DLADiag.EXE" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\antonio\Start Menu\Programs\Startup\
Warner Bros.lnk - c:\program files\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe [2010-7-3 142336]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
.
R1 DLADiagM;DLADiagM;c:\windows2\system32\drivers\DLADiagM.SYS [10/3/2010 12:07 AM 13688]
R1 DLAPMonM;DLAPMonM;c:\windows2\system32\drivers\DLAPMonM.SYS [10/3/2010 12:07 AM 30744]
R2 SBKUPNT;SBKUPNT;c:\windows2\system32\drivers\SBKUPNT.SYS [10/17/2010 1:05 AM 14976]
S1 DLADHK_M;DLADHK_M;c:\windows2\system32\drivers\DLADHK_M.SYS [10/3/2010 12:07 AM 33592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 8:11 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows2\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows2\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2010-09-29 c:\windows2\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-22 c:\windows2\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:11]
.
2011-04-21 c:\windows2\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://doom9.org/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Xvid_is1 - c:\program files\Xvid\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 23:26
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-21 23:28:28
ComboFix-quarantined-files.txt 2011-04-22 03:28
.
Pre-Run: 14,774,804,480 bytes free
Post-Run: 14,739,546,112 bytes free
.
- - End Of File - - 8CF4DB12EF43C991DD7FEDE954C9E140