hit with a trojan virus

View previous topic View next topic Go down

hit with a trojan virus

Post by yelljack on Wed 21 Sep 2011, 10:10 pm

Hello, I got hit with a Trojan Virus. AVG cannot clear it. Malawarebytes can find it everytime I run it. Here is a copy of the OTL.txt file:

OTL logfile created on: 21/09/2011 6:57:19 AM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\ashish\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

1.97 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 72.49% Memory free
3.82 Gb Paging File | 3.42 Gb Available in Paging File | 89.54% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.58 Gb Total Space | 57.02 Gb Free Space | 65.11% Space Free | Partition Type: NTFS

Computer Name: BALTIMOR-38FC7D | User Name: ashish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/21 06:53:38 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ashish\My Documents\Downloads\OTL.com
PRC - [2011/09/09 17:43:18 | 001,220,960 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/09/08 06:46:00 | 002,401,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/09/01 06:16:22 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2009/02/27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PRC - [2009/02/27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PRC - [2009/02/27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008/04/13 21:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.exe
PRC - [2007/09/07 17:19:00 | 001,464,856 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/09/07 17:18:52 | 000,121,368 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/03/21 13:42:38 | 000,364,629 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe


========== Modules (No Company Name) ==========

MOD - [2009/02/27 12:56:34 | 000,016,768 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
MOD - [2009/02/27 06:51:14 | 000,200,704 | ---- | M] () -- C:\Program Files\Intel\WiFi\bin\iWMSProv.dll
MOD - [2001/07/31 06:17:12 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Bonjour Service)
SRV - File not found [Auto | Stopped] -- -- (atchksrv) Intel(R)
SRV - File not found [Auto | Stopped] -- -- (Application Updater)
SRV - [2011/09/01 06:16:22 | 005,265,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2009/09/24 11:59:26 | 001,695,368 | ---- | M] (NanJing Nagasoft Co, LTD.) [Auto | Stopped] -- C:\WINDOWS\system32\nagasoft\vjocx.dll -- (vvdsvc)
SRV - [2009/03/03 14:53:32 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2009/02/27 07:54:22 | 000,870,672 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2009/02/27 06:55:20 | 000,909,312 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) Intel(R)
SRV - [2009/02/27 06:38:38 | 000,473,360 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2008/11/07 17:40:52 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007/09/07 17:19:00 | 001,464,856 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel(R)
SRV - [2007/09/07 17:18:52 | 000,121,368 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel(R)
SRV - [2007/03/21 13:42:38 | 000,364,629 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2003/10/22 10:19:22 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:30 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/07/11 01:13:46 | 000,229,840 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/07/11 01:13:42 | 000,032,464 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2009/03/04 10:31:32 | 004,202,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
DRV - [2008/09/26 10:53:00 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/09/26 10:52:00 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/09/26 10:52:00 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008/08/13 17:23:56 | 000,011,904 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/07/03 18:46:24 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2006/12/21 12:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/21 12:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/21 12:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKCU\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\SearchSettings.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/09/15 21:52:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/16 13:19:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/16 13:13:19 | 000,000,000 | ---D | M]

[2011/09/16 13:20:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ashish\Application Data\Mozilla\Extensions
[2011/09/16 13:19:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/15 21:52:25 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2009/05/17 12:51:48 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/09/02 05:38:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/03 02:01:45 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/09/02 19:25:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/05/17 17:26:42 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} [You must be registered and logged in to see this link.] (IASRunner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} [You must be registered and logged in to see this link.] (VodClient Control Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42D6DB11-F57D-4AE2-ABDF-28F9E9C390EF}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/07 11:46:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9dca8fc3-90d7-11e0-9b2c-0013e8b14307}\Shell - "" = AutoRun
O33 - MountPoints2\{9dca8fc3-90d7-11e0-9b2c-0013e8b14307}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9dca8fc3-90d7-11e0-9b2c-0013e8b14307}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{a452e7ed-c8e5-11de-9988-0013e8b14307}\Shell - "" = AutoRun
O33 - MountPoints2\{a452e7ed-c8e5-11de-9988-0013e8b14307}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a452e7ed-c8e5-11de-9988-0013e8b14307}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{e8b7b958-90a8-11e0-9b2b-0013e8b14307}\Shell - "" = AutoRun
O33 - MountPoints2\{e8b7b958-90a8-11e0-9b2b-0013e8b14307}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e8b7b958-90a8-11e0-9b2b-0013e8b14307}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{f0fd90fd-2bb2-11e0-9ad4-0013e8b14307}\Shell - "" = AutoRun
O33 - MountPoints2\{f0fd90fd-2bb2-11e0-9ad4-0013e8b14307}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f0fd90fd-2bb2-11e0-9ad4-0013e8b14307}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "wuauserv"
MsConfig - Services: "wscsvc"
MsConfig - Services: "helpsvc"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe - (Logitech, Inc.)
MsConfig - StartUpReg: atchk - hkey= - key= - File not found
MsConfig - StartUpReg: BitTorrent DNA - hkey= - key= - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: HP Software Update - hkey= - key= - C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: IntelWireless - hkey= - key= - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
MsConfig - StartUpReg: IntelZeroConfig - hkey= - key= - C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel(R) Corporation)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: Kernel and Hardware Abstraction Layer - hkey= - key= - C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
MsConfig - StartUpReg: NvCplDaemon - hkey= - key= - File not found
MsConfig - StartUpReg: NvMediaCenter - hkey= - key= - File not found
MsConfig - StartUpReg: nwiz - hkey= - key= - File not found
MsConfig - StartUpReg: SearchSettings - hkey= - key= - C:\Program Files\Search Settings\SearchSettings.exe (Spigot, Inc.)
MsConfig - StartUpReg: SiteRanker - hkey= - key= - File not found
MsConfig - StartUpReg: SoundMAXPnP - hkey= - key= - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
MsConfig - StartUpReg: StatusClient 2.6 - hkey= - key= - C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
MsConfig - StartUpReg: SynTPEnh - hkey= - key= - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
MsConfig - StartUpReg: TomcatStartup 2.5 - hkey= - key= - C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
MsConfig - StartUpReg: WinampAgent - hkey= - key= - File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: WdfLoadGroup -
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: WdfLoadGroup -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/09/16 12:58:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/09/15 23:18:33 | 000,000,000 | -H-D | C] -- C:\$AVG
[2011/09/15 22:05:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/15 22:05:12 | 000,000,000 | ---D | C] -- C:\Program Files\MALWAREBYTES ANTI-MALWARE
[2011/09/15 22:05:11 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/15 21:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ashish\Application Data\AVG2012
[2011/09/15 21:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
[2011/09/15 21:51:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/09/15 21:51:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2011/09/15 21:46:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/09/15 21:45:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/15 19:55:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2011/09/15 19:51:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\ashish\Recent
[2011/09/15 19:48:32 | 000,000,000 | ---D | C] -- C:\ZVDefs
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/21 06:05:35 | 000,136,150 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2011/09/21 06:05:14 | 000,185,449 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/09/21 06:05:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/21 06:05:06 | 2112,139,264 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/20 17:50:35 | 104,778,885 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/09/20 08:13:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/16 13:20:01 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\ashish\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/16 13:20:01 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/16 13:01:48 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\ashish\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/09/15 22:05:15 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/15 21:52:25 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2011/09/15 21:41:02 | 000,136,150 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2011/09/13 07:33:07 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\System32\US180C~1.EXE.Vir
[2011/09/13 07:33:07 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\System32\NVC686~1.EXE.Vir
[2011/09/13 07:33:07 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\System32\IM5209~1.EXE.Vir
[2011/09/13 07:33:07 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\EX2929~1.EXE.Vir
[2011/09/13 07:33:05 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\System32\RU19D9~1.EXE.Vir
[2011/09/13 07:33:04 | 000,075,181 | ---- | M] (Sysinternals) -- C:\WINDOWS\System32\RU249B~1.EXE.Vir
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/20 17:50:35 | 104,778,885 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/09/16 13:20:01 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\ashish\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/16 13:20:01 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/09/16 13:20:01 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/09/16 13:01:48 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\ashish\Start Menu\Programs\Internet Explorer.lnk
[2011/09/15 22:05:15 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/15 21:52:25 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
[2011/09/15 19:46:13 | 2112,139,264 | -HS- | C] () -- C:\hiberfil.sys
[2011/07/28 07:49:40 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\license.ini
[2011/07/28 07:22:21 | 000,000,010 | ---- | C] () -- C:\WINDOWS\cbid32.dll
[2011/07/13 02:46:24 | 000,014,001 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/07/02 09:04:46 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\dmlconf.dat.zzz
[2011/06/07 03:41:48 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\ashish\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/06/07 03:36:45 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/12/01 11:03:08 | 000,000,833 | ---- | C] () -- C:\WINDOWS\EParse.ini
[2010/05/20 11:57:44 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2010/05/10 18:28:00 | 000,020,227 | ---- | C] () -- C:\WINDOWS\System32\Fixdll.exe
[2010/03/06 10:56:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\WgaLogon.dll
[2009/12/10 08:23:59 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\ashish\Application Data\setup_ldm.iss
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/06/20 11:04:19 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\ashish\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/17 17:22:00 | 000,045,132 | ---- | C] () -- C:\Documents and Settings\ashish\Application Data\JuniperExtXP.exe
[2009/05/02 11:07:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/09 06:16:14 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\jst.dll
[2009/04/09 06:16:14 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\PMLJNI.dll
[2009/04/09 06:13:35 | 000,000,783 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/04/09 06:13:23 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2009/04/09 06:13:23 | 000,000,319 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DAT
[2009/04/09 06:12:48 | 000,012,368 | ---- | C] () -- C:\WINDOWS\hplj1320.ini
[2009/04/08 11:01:38 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2009/04/08 11:01:38 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2009/04/08 10:02:24 | 000,136,150 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2009/04/08 09:55:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/04/07 11:52:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/07 11:43:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/04/07 07:36:33 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/07 07:35:28 | 000,324,320 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/05 09:05:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/05 09:05:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/12/05 09:05:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/12/05 09:05:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/12/05 09:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/12/05 09:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/05 09:05:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/12/05 09:05:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/04/10 06:45:10 | 000,043,064 | ---- | C] () -- C:\WINDOWS\Regrest.exe
[2005/12/30 17:12:10 | 000,000,167 | ---- | C] () -- C:\WINDOWS\ZVIgnore.dat
[2004/08/03 19:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/03 18:56:50 | 001,033,728 | ---- | C] () -- C:\WINDOWS\Explorer.exe.zzz
[2004/08/02 08:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 11:00:00 | 000,433,344 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 11:00:00 | 000,068,134 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 11:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== Custom Scans ==========


< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/09/03 02:01:45 | 000,125,912 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/09/03 02:01:45 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/09/03 02:01:45 | 000,269,272 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2009/05/02 10:06:35 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/04/13 06:54:48 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2011/09/15 19:53:07 | 000,000,000 | ---D | M] -- C:\Program Files\AppGraffiti
[2009/08/11 06:28:17 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2011/09/16 06:57:25 | 000,000,000 | ---D | M] -- C:\Program Files\Application Updater
[2011/09/15 21:51:03 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2011/09/16 06:57:47 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/05/17 11:22:09 | 000,000,000 | ---D | M] -- C:\Program Files\Canon
[2011/07/28 07:26:02 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/04/07 11:43:48 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/04/09 06:11:25 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2011/08/03 13:49:24 | 000,000,000 | ---D | M] -- C:\Program Files\DNA
[2009/06/14 09:59:56 | 000,000,000 | ---D | M] -- C:\Program Files\Free Easy Burner
[2010/08/06 23:57:57 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2009/04/09 06:16:48 | 000,000,000 | ---D | M] -- C:\Program Files\Hewlett-Packard
[2009/04/09 06:13:39 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2011/09/15 19:54:17 | 000,000,000 | ---D | M] -- C:\Program Files\Idea Net Setter
[2009/12/10 07:51:39 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/04/08 10:31:20 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2011/09/16 13:01:35 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/03/14 08:43:05 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/07/29 08:41:58 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2009/08/13 06:21:54 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/05/17 17:22:11 | 000,000,000 | ---D | M] -- C:\Program Files\Juniper Networks
[2009/04/08 10:59:20 | 000,000,000 | ---D | M] -- C:\Program Files\Lenovo
[2009/12/10 07:51:33 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2011/09/15 22:05:45 | 000,000,000 | ---D | M] -- C:\Program Files\MALWAREBYTES ANTI-MALWARE
[2011/09/15 22:05:16 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/09 00:19:14 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2011/09/15 23:16:38 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2009/05/02 11:06:13 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/04/07 11:47:12 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/11/02 00:58:22 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2011/06/15 10:48:26 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/05/02 11:05:35 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/01/11 08:57:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2009/05/02 11:06:20 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/09/15 23:00:13 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/09/16 13:19:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/07 23:14:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2009/11/02 00:58:10 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2009/04/07 11:42:52 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/04/07 11:43:25 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/06/15 03:00:25 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2011/09/16 07:18:22 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/05/31 08:08:49 | 000,000,000 | ---D | M] -- C:\Program Files\Nitro PDF
[2009/05/03 07:21:32 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2009/04/07 11:43:35 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011/09/15 23:00:35 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/08/07 23:13:54 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/03/14 08:34:47 | 000,000,000 | ---D | M] -- C:\Program Files\Safari
[2011/09/16 07:19:01 | 000,000,000 | ---D | M] -- C:\Program Files\Search Settings
[2011/09/15 19:55:50 | 000,000,000 | ---D | M] -- C:\Program Files\SiteRanker
[2010/06/02 22:25:46 | 000,000,000 | ---D | M] -- C:\Program Files\SPSS
[2010/05/31 08:18:04 | 000,000,000 | ---D | M] -- C:\Program Files\Synaptics
[2009/04/07 11:54:32 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/01/24 08:25:04 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2009/06/28 11:09:59 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/04/09 00:13:23 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/05/31 08:22:58 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2009/04/07 11:45:46 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/04/07 11:47:12 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2009/04/09 06:16:21 | 000,000,000 | -H-D | M] -- C:\Program Files\Zero G Registry


< MD5 for: AGP440.SYS >
[2004/08/03 19:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/03 19:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 16:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/03 19:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2009/04/09 00:08:12 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/03 16:59:56 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\dllcache\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/03 18:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-07-13 06:46:38

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/09/03 02:01:45 | 000,713,016 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/09/03 02:01:45 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2009/03/08 04:32:54 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2010/03/04 03:33:50 | 001,795,880 | ---- | M] (Apple Inc.)

< End of report >

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Wed 21 Sep 2011, 10:11 pm

Here is a copy of the Extras.Txt file:

OTL Extras logfile created on: 21/09/2011 6:57:19 AM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\ashish\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

1.97 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 72.49% Memory free
3.82 Gb Paging File | 3.42 Gb Available in Paging File | 89.54% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 87.58 Gb Total Space | 57.02 Gb Free Space | 65.11% Space Free | Partition Type: NTFS

Computer Name: BALTIMOR-38FC7D | User Name: ashish | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [ZERO-V] -- C:\PROGRA~1\NETPRO~1\zvscan\Runscan.exe %1
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe" = C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe:*:Enabled:javaw -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application
"C:\Documents and Settings\ashish\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] = C:\Documents and Settings\ashish\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] add-in for Adobe Flash Player -- (Octoshape ApS)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 15
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40295635-D63E-4E9B-82C5-DF986D345CCE}" = AVG 2012
"{56839333-0802-40D6-9A50-EBB9EB2BF541}" = AVG 2012
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{5F05C28D-DEA9-4AD6-A73A-064175988EAB}" = Search Settings v1.2.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F04B272-E0DD-47E7-8B55-D97483DB0EBD}" = hp LaserJet 1160/1320 series
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90B5E602-1867-449D-86FD-FC9DEA4434BF}" = HP Software Update
"{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D124C1D1-963E-485A-AF7C-52E5CAA2CEF6}" = Net Protector 2011
"{E1B2DF7C-A176-4A1D-9D32-3CEC5037A524}" = Apple Application Support
"{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Intel(R) PROSet/Wireless WiFi Software
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG" = AVG 2012
"CAL" = Canon Camera Access Library
"CameraWindowDC" = Canon Utilities CameraWindow DC
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"MESOL" = Intel(R) Active Management Technology Device Software
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"MyCamera" = Canon Utilities MyCamera
"MyCameraDC" = Canon Utilities MyCamera DC
"NVIDIA Drivers" = NVIDIA Drivers
"PhotoStitch" = Canon Utilities PhotoStitch
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel PROSet Wireless
"PROSet" = Intel(R) PRO Network Connections Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SPSS for Windows 11.5" = SPSS 11.5 for Windows
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/09/2011 11:29:02 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:51 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 16/09/2011 1:02:04 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 17/09/2011 7:21:23 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 20/09/2011 8:13:25 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 21/09/2011 6:05:27 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

[ Application Events ]
Error - 16/09/2011 11:29:02 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:42 PM | Computer Name = BALTIMOR-38FC7D | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 16/09/2011 12:55:51 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 16/09/2011 1:02:04 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 17/09/2011 7:21:23 PM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 20/09/2011 8:13:25 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

Error - 21/09/2011 6:05:27 AM | Computer Name = BALTIMOR-38FC7D | Source = LMS | ID = 2
Description = LMS Service cannot connect to HECI driver

[ System Events ]
Error - 16/09/2011 1:12:43 PM | Computer Name = BALTIMOR-38FC7D | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 17/09/2011 7:21:32 PM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Intel(R) Active Management Technology System Status Service service
failed to start due to the following error: %%2

Error - 17/09/2011 7:21:32 PM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Bonjour Service service failed to start due to the following error:
%%2

Error - 17/09/2011 7:21:32 PM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The SFilter service failed to start due to the following error: %%2

Error - 20/09/2011 8:13:36 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Intel(R) Active Management Technology System Status Service service
failed to start due to the following error: %%2

Error - 20/09/2011 8:13:36 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Bonjour Service service failed to start due to the following error:
%%2

Error - 20/09/2011 8:13:36 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The SFilter service failed to start due to the following error: %%2

Error - 21/09/2011 6:05:38 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Intel(R) Active Management Technology System Status Service service
failed to start due to the following error: %%2

Error - 21/09/2011 6:05:38 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The Bonjour Service service failed to start due to the following error:
%%2

Error - 21/09/2011 6:05:38 AM | Computer Name = BALTIMOR-38FC7D | Source = Service Control Manager | ID = 7000
Description = The SFilter service failed to start due to the following error: %%2


< End of report >

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Sat 24 Sep 2011, 8:27 am

bump - No response yet!!

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Belahzur on Sun 25 Sep 2011, 5:21 am

Hello.

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Sun 25 Sep 2011, 8:56 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-24 17:54:52
-----------------------------
17:54:52.421 OS Version: Windows 5.1.2600 Service Pack 3
17:54:52.421 Number of processors: 2 586 0xF0A
17:54:52.437 ComputerName: BALTIMOR-38FC7D UserName: ashish
17:54:53.265 Initialize success
17:55:12.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
17:55:12.796 Disk 0 Vendor: HTS721010G9SA00 MCZIC15V Size: 95396MB BusType: 3
17:55:14.812 Disk 0 MBR read successfully
17:55:14.812 Disk 0 MBR scan
17:55:14.812 Disk 0 Windows XP default MBR code
17:55:14.812 Disk 0 scanning sectors +195365520
17:55:14.875 Disk 0 scanning C:\WINDOWS\system32\drivers
17:55:22.390 Service scanning
17:55:23.546 Modules scanning
17:55:29.937 Disk 0 trace - called modules:
17:55:29.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:55:29.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7acab8]
17:55:29.968 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000085[0x8a7dd9e8]
17:55:29.968 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a7ddd98]
17:55:30.031 Scan finished successfully
17:55:54.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ashish\Desktop\MBR.dat"
17:55:54.046 The log file has been saved successfully to "C:\Documents and Settings\ashish\Desktop\aswMBR.txt"



yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Belahzur on Sun 25 Sep 2011, 9:05 am

Hi,


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click PCHelpForum.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Tue 27 Sep 2011, 4:44 am

ComboFix 11-09-26.01 - ashish 26/09/2011 13:32:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1454 [GMT -4:00]
Running from: c:\documents and settings\ashish\Desktop\PCHelpForum.exe.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ashish\Application Data\JuniperExtXP.exe
c:\documents and settings\ashish\WINDOWS
c:\program files\Mozilla Firefox\extensions\searchsettings@spigot.com
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\Search Settings\kb128\SearchSettingsInstaller.130.exe
c:\program files\Search Settings\SeARchsettings.dll
c:\program files\Search Settings\SearchSettings.exe
c:\program files\Search Settings\SearchSettingsRes409.dll
c:\windows\scrrun.dll
c:\windows\system32\Nagasoft
c:\windows\system32\Nagasoft\Codecs\asyncflt.ax
c:\windows\system32\Nagasoft\Codecs\atrc.dll
c:\windows\system32\Nagasoft\Codecs\cook.dll
c:\windows\system32\Nagasoft\Codecs\drvc.dll
c:\windows\system32\Nagasoft\Codecs\raac.dll
c:\windows\system32\Nagasoft\Codecs\RealMediaSplitter.ax
c:\windows\system32\Nagasoft\Codecs\WMFDemux.dll
c:\windows\system32\Nagasoft\GifShower.dll
c:\windows\system32\Nagasoft\vjocx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_vvdsvc
-------\Legacy_vvdsvc
-------\Service_vvdsvc
-------\Service_vvdsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))
.
.
2011-09-26 17:22 . 2011-09-26 17:22 -------- d-----w- c:\windows\LastGood.Tmp
2011-09-23 10:37 . 2011-09-23 10:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-16 16:58 . 2011-09-16 16:59 -------- dc-h--w- c:\windows\ie8
2011-09-16 02:05 . 2011-09-16 02:05 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-09-16 02:05 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-16 01:56 . 2011-09-16 01:56 -------- d-----w- c:\documents and settings\ashish\Application Data\AVG2012
2011-09-16 01:51 . 2011-09-26 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-16 01:46 . 2011-09-16 01:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-16 01:45 . 2011-09-26 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-15 23:48 . 2011-09-15 23:48 -------- d-----w- C:\ZVDefs
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-16 03:18 . 2009-04-09 10:16 45056 ----a-w- c:\documents and settings\ashish\Application Data\Microsoft\Installer\{90B5E602-1867-449D-86FD-FC9DEA4434BF}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2011-09-13 11:33 . 2011-08-03 18:32 75181 ----a-w- c:\windows\system32\IM5209~1.EXE.Vir
2011-09-13 11:33 . 2011-07-29 07:26 75181 ----a-w- c:\windows\EX2929~1.EXE.Vir
2011-09-13 11:33 . 2011-07-29 07:24 75181 ----a-w- c:\windows\system32\US180C~1.EXE.Vir
2011-09-13 11:33 . 2011-07-29 04:16 75181 ----a-w- c:\windows\system32\NVC686~1.EXE.Vir
2011-09-13 11:33 . 2011-07-28 14:05 75181 ----a-w- c:\windows\system32\RU19D9~1.EXE.Vir
2011-09-13 11:33 . 2011-08-03 17:51 75181 ----a-w- c:\windows\system32\RU249B~1.EXE.Vir
2011-07-29 12:18 . 2011-07-28 14:12 75181 ----a-w- c:\windows\system32\IBMPMSVCMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGR.EXE.Vir
2011-07-29 12:18 . 2011-07-28 14:06 75181 ----a-w- c:\windows\system32\HPDBCC~1.EXE.Vir
2011-07-29 12:18 . 2011-07-28 14:03 75181 ----a-w- c:\windows\system32\HPBPRO~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:09 75181 ----a-w- c:\windows\system32\HP3A12~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:06 75181 ----a-w- c:\windows\system32\HPCF3E~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:04 75181 ----a-w- c:\windows\system32\HP99A4~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:08 75181 ----a-w- c:\windows\system32\HP87A5~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:08 75181 ----a-w- c:\windows\system32\HPB084~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:04 75181 ----a-w- c:\windows\system32\HP7F91~1.EXE.Vir
2011-07-28 14:12 . 2011-07-28 14:10 75181 ----a-w- c:\windows\system32\HP0C2F~1.EXE.Vir
2011-07-28 14:11 . 2011-07-28 14:05 75181 ----a-w- c:\windows\system32\HP46B9~1.EXE.Vir
2011-09-03 06:01 . 2011-09-16 17:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-05 13549568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start [You must be registered and logged in to see this link.] [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-07 03:20 323392 ------w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-01-07 17:02 127386 ------w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-02-27 10:40 1202448 ------w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2011-09-16 11:15 1368064 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 22:07 141608 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 19:46 69632 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-12-05 13:05 13549568 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-12-05 13:05 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-12-05 13:05 1630208 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-04-24 21:53 1114549 ------w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient 2.6]
2011-09-16 11:11 61440 ----a-w- c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2011-09-16 11:25 1323008 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup 2.5]
2011-09-16 11:10 188416 ----a-w- c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"helpsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\ashish\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
.
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/12/2009 7:52 AM 10384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [08/04/2009 10:31 AM 1464856]
S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\ashish\Application Data\Mozilla\Firefox\Profiles\xy03fhmz.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-atchk - c:\program files\Intel\AMT Status\atchk.exe
MSConfigStartUp-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-SiteRanker - c:\program files\SiteRanker\SiteRankTray.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-26 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1200)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(2604)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-26 13:42:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-26 17:42
.
Pre-Run: 61,263,917,056 bytes free
Post-Run: 61,480,140,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D6A7706BEBFF0E80A4F6C3322C307FF9

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Belahzur on Tue 27 Sep 2011, 5:05 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\windows\system32\*.exe.vir
    c:\windows\*.exe.vir

    :commands
    [emptytemp]
    [clearallrestorepoints]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Tue 27 Sep 2011, 9:17 am

All processes killed
========== FILES ==========
c:\windows\system32\HP0C2F~1.EXE.Vir moved successfully.
c:\windows\system32\HP3A12~1.EXE.Vir moved successfully.
c:\windows\system32\HP46B9~1.EXE.Vir moved successfully.
c:\windows\system32\HP7F91~1.EXE.Vir moved successfully.
c:\windows\system32\HP87A5~1.EXE.Vir moved successfully.
c:\windows\system32\HP99A4~1.EXE.Vir moved successfully.
c:\windows\system32\HPB084~1.EXE.Vir moved successfully.
c:\windows\system32\HPBPRO~1.EXE.Vir moved successfully.
c:\windows\system32\HPCF3E~1.EXE.Vir moved successfully.
c:\windows\system32\HPDBCC~1.EXE.Vir moved successfully.
c:\windows\system32\IBMPMSVCMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGR.EXE.Vir moved successfully.
c:\windows\system32\IM5209~1.EXE.Vir moved successfully.
c:\windows\system32\NVC686~1.EXE.Vir moved successfully.
c:\windows\system32\RU19D9~1.EXE.Vir moved successfully.
c:\windows\system32\RU249B~1.EXE.Vir moved successfully.
c:\windows\system32\US180C~1.EXE.Vir moved successfully.
c:\windows\EX2929~1.EXE.Vir moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: ashish
->Temp folder emptied: 14568274 bytes
->Temporary Internet Files folder emptied: 2808137 bytes
->Java cache emptied: 49945324 bytes
->FireFox cache emptied: 41082264 bytes
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 2946067 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3274163 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 168 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 109.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.29.1 log created on 09262011_181311

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Belahzur on Wed 28 Sep 2011, 7:13 am

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Thu 29 Sep 2011, 10:32 am

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=0b88b841b7a311408902391d9462f9ac
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-09-28 11:27:12
# local_time=2011-09-28 07:27:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 190701 190701 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=56934
# found=31
# cleaned=4
# scan_time=2268
C:\Documents and Settings\ashish\My Documents\Downloads\Setup_FreeBurnerN.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Bonjour\MDF842~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Canon\CAL\CAAC9C~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Common Files\Intel\WirelessCommon\RE8D27~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDF453~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Intel\AMT\AT3862~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Intel\AMT\LMD5C8~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Intel\AMT\UNB440~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Intel\WiFi\bin\EVC2F8~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Java\jre6\bin\JQD515~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\Juniper Networks\Common Files\DS69CF~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SeARchsettings.dll.vir Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettings.exe.vir Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Search Settings\SearchSettingsRes409.dll.vir Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\IBMPMSVCMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGRMGR.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\EX2929~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP0C2F~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP3A12~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP46B9~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP7F91~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP87A5~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HP99A4~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HPB084~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HPBPRO~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HPCF3E~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\HPDBCC~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\IM5209~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\NVC686~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\RU19D9~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\RU249B~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\09262011_181311\c_windows\system32\US180C~1.EXE.Vir Win32/Ramnit.A virus (unable to clean) 00000000000000000000000000000000 I

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Belahzur on Fri 30 Sep 2011, 3:33 am

That's hardly fair. -.-

Attention: Your computer is severely infected with Win32\Ramnit what is now called, a cocktail infection. This is an infection that is comprised of many different types of viruses and other malware, to damage your computer, and use it as a zombie for its backdoor network. In other words, your computer is under control of a hacker, and regaining control is now next to impossible.

The first component is a backdoor trojan, which is a type of trojan that communicates with a hacker: to transfer personal information about you, use your computer to help perform a denial-of-service attack, redirect your internet searches in order to make money off of your browsing habits, and can be a keylogger to steal personal identifiable information to help rob your identity.

The second component is a rootkit, which is a type of malware to take control over your computer at administrator access, having full permission to modify all of your device drivers, and allowing itself to hide all the malware on the system. In other words, it is a hackers way of taking control of your computer, and hiding in the dark at the same time. This is a prime initiative of hackers to help keep access to your computer, robbing all of your personal information, and using your computer to send spam across the internet.

The third component is a file infector, which is a type of virus to purposely damage as many files as possible, in order to keep control of your system, so you have as little access as possible.

Not only has your system been compromised severely, it is also highly damaged, and if you do not commit to my suggested removal method below, then your computer may not function anymore.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:


  • How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  • What Should I Do If I've Become A Victim Of Identity Theft?
  • Identity Theft Victims Guide - What to do



Removal method:

It is recommended to do a reformat and reinstall of your operating system. The experts in the Advanced Malware Analysts security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety.

I recommend the following articles to read:


  • When should I re-format? How should I reinstall?
  • Help: I Got Hacked. Now What Do I Do?
  • Help: I Got Hacked. Now What Do I Do? Part II
  • Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

[You must be registered and logged in to see this link.]

How to reformat and reinstall your Operating System - the easy way

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by yelljack on Fri 30 Sep 2011, 4:50 am

Thanks Belahzur for trying .. I will reformat the computer :-)

yelljack

Newbie Surfer
Newbie Surfer

Posts : 44
Joined : 2008-12-08
Operating System : XP

View user profile

Back to top Go down

Re: hit with a trojan virus

Post by Sponsored content Today at 7:41 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum