Possible Virus?

View previous topic View next topic Go down

Possible Virus?

Post by bobu on 8th November 2012, 3:51 am

Hi - my system is acting like I have a virus OR possible hardware problem with my soundcard? My wave volume keeps going down by itself intermittently. I can increase it and it goes back down within a few minutes. It then reaches a point that I cannot open the properties of it and I cannot launch anything else at all - browsers and all other applications. When I try to restart my system my desktop disappears and it is locked at that point. I am also getting blue screens upon a hard shutdown and reboot - sometimes it will get past but usually I have to start in safe mode first or last known good config.


bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 3:53 am

OTL logfile created on: 11/7/2012 9:35:36 PM - Run 1
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Documents and Settings\Bob\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.50 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.84 Gb Paging File | 4.50 Gb Available in Paging File | 92.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 74.80 Gb Free Space | 58.44% Space Free | Partition Type: NTFS

Computer Name: WARCRAFT | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/07 21:34:05 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bob\My Documents\Downloads\OTL.com
PRC - [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/08/08 16:16:26 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/05/02 00:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/15 13:49:44 | 005,238,272 | ---- | M] (Linksys) -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
PRC - [2005/04/12 18:40:22 | 000,655,420 | ---- | M] (Networks Associates Technology, Inc.) -- C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
PRC - [2005/04/12 18:39:34 | 000,766,011 | ---- | M] (Networks Associates Technology, Inc.) -- C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
PRC - [2004/10/06 15:50:00 | 000,237,623 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
PRC - [2004/10/06 15:50:00 | 000,139,320 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
PRC - [2004/10/06 15:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
PRC - [2004/02/06 22:56:14 | 000,041,025 | ---- | M] (GEMTEKS) -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe


========== Modules (No Company Name) ==========

MOD - [2012/09/06 23:18:39 | 002,244,064 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/04/16 22:11:02 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2005/03/20 09:36:16 | 000,036,864 | ---- | M] () -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\Security.dll
MOD - [2005/02/24 20:15:20 | 000,102,400 | ---- | M] () -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\ses_cl.dll
MOD - [2004/09/29 15:51:28 | 000,122,880 | ---- | M] () -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\ez54g.dll
MOD - [2003/10/13 14:30:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\GTW32N50.dll
MOD - [2002/04/24 00:00:00 | 000,110,592 | ---- | M] () -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\GEMWEP.DLL


========== Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe WMP54Gv4.exe -- (WMP54Gv4SVC)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/09/06 23:18:39 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/02 00:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/01 23:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2005/04/12 18:39:34 | 000,766,011 | ---- | M] (Networks Associates Technology, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe -- (FireSvc)
SRV - [2004/10/06 15:50:00 | 000,102,463 | ---- | M] (Network Associates, Inc.) [Auto | Running] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\AsInsHelp32.sys -- (ASInsHelp)
DRV - [2012/04/27 09:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/04/24 23:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012/04/16 20:18:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/10/27 15:06:30 | 000,356,096 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt61.sys -- (RT61)
DRV - [2005/04/12 18:47:16 | 000,026,171 | ---- | M] (Networks Associates Technology, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FireHk5x.sys -- (FireHook)
DRV - [2005/04/12 18:47:00 | 000,032,784 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firelm01.sys -- (firelm01)
DRV - [2005/04/12 18:37:32 | 000,109,626 | ---- | M] (Networks Associates Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\FirePM.sys -- (FirePM)
DRV - [2005/04/12 18:29:58 | 000,036,923 | ---- | M] (Networks Associates Technology, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FireTdi.sys -- (FireTDI)
DRV - [2005/02/01 18:18:38 | 000,017,992 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\bcm42rly.sys -- (BCM42RLY)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/05/29 16:41:54 | 000,186,112 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/09/25 21:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKCU\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{584E5BCE-9A32-4BD5-B57D-6D38C4D7D3FC}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\..\SearchScopes\{E5F5D888-2587-E012-A817-7038F5690F26}: "URL" = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
FF - prefs.js..browser.startup.homepage: "http://www.cnn.com/"
FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:0.2
FF - prefs.js..extensions.enabledAddons: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.15.1
FF - prefs.js..extensions.enabledAddons: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.6
FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.8.86
FF - prefs.js..keyword.URL: "http://mystart.incredibar.com/mb185/?loc=IB_DS&a=6R8KzWemip&&i=26&search="


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll File not found
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\IB Updater\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/11/07 18:24:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/11/07 18:24:16 | 000,000,000 | ---D | M]

[2009/09/14 19:24:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Extensions
[2012/11/07 20:05:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions
[2012/07/17 06:20:43 | 000,000,000 | ---D | M] (ShopToWin12) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}
[2011/07/02 16:25:56 | 000,000,000 | ---D | M] (Browse For Change) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com
[2010/12/03 22:48:49 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\vshare@toolbar
[2012/02/04 17:33:54 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2011/07/21 14:50:27 | 000,097,169 | ---- | M] () (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
[2012/11/02 16:23:49 | 000,530,388 | ---- | M] () (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2012/07/24 14:55:36 | 000,741,958 | ---- | M] () (No name found) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2010/08/15 18:16:02 | 000,001,954 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\bing-zugo.xml
[2011/07/02 16:25:56 | 000,002,230 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\iBryte_browseforchange.xml
[2012/11/07 19:51:02 | 000,002,203 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\MyStart Search.xml
[2012/11/07 18:24:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/11/07 18:24:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/10/26 20:59:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\updated\updated\extensions
[2012/11/07 18:23:35 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\updated\updated\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2012/10/26 20:59:52 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\updated\updated\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/11 08:33:00 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/09/06 23:18:40 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2008/12/22 10:40:43 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\Webbrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [Easy Dock] File not found
O4 - HKLM..\Run: [iBryte browseforchange Desktop] C:\Program Files\iBryte\browseforchange\ibrytedesktop.exe File not found
O4 - HKLM..\Run: [McAfeeFireTray] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe (Networks Associates Technology, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe (Network Associates, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O4 - HKCU..\Run: [Easy Dock] C:\Documents and Settings\Bob\My Documents\RCA easyRip\EZDock.exe (Audiovox Electronics Corp.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 File not found
O4 - Startup: C:\Documents and Settings\Bob\Start Menu\Programs\Startup\RCA Detective.lnk = C:\Documents and Settings\Bob\My Documents\RCA Detective\RCADetective.exe (Audiovox Accessories Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll (Sun Microsystems, Inc.)
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} [You must be registered and logged in to see this link.] (System Requirements Lab Class)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} [You must be registered and logged in to see this link.] (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} [You must be registered and logged in to see this link.] (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} [You must be registered and logged in to see this link.] (SysInfo Class)
O16 - DPF: vzTCPConfig [You must be registered and logged in to see this link.] (Reg Error: Unable to open value key)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B921D221-614E-410D-BA13-627C85A6077B}: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CBEF2D6B-0401-44F1-9FAC-6BD4EADCDFED}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/02/09 19:25:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{76e428b4-7039-11dd-aef6-001ee59ca600}\Shell - "" = AutoRun
O33 - MountPoints2\{76e428b4-7039-11dd-aef6-001ee59ca600}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{76e428b4-7039-11dd-aef6-001ee59ca600}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{aaafa97e-b5df-11de-b062-001ee5fc174f}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)


SafeBootMin: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0213C6AF-5562-4D09-884C-2ADCFC8C2F35} - Microsoft .NET Framework 1.1 Security Update (KB2656353)
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1897C549-AE52-4571-8996-44854F5612B2} - Microsoft .NET Framework 1.1 Security Update (KB2656370)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.2
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.2
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C3C986D6-06B1-43BF-90DD-BE30756C00DE} - RevokedRootsUpdate
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CAAFB8F9-F8D1-3D27-9AAA-6301A4429440} - .NET Framework
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point


bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 3:54 am

========== Files/Folders - Created Within 30 Days ==========

[2012/11/07 20:45:44 | 000,000,000 | ---D | C] -- C:\Temp
[2012/11/07 20:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
[2012/11/07 19:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Wajam
[2012/11/07 19:51:09 | 000,632,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr80.dll
[2012/11/07 19:51:09 | 000,554,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp80.dll
[2012/11/07 19:51:09 | 000,479,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcm80.dll
[2012/11/07 18:39:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/11/07 18:24:14 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/11/07 18:24:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\AbiSuite
[2012/11/07 18:24:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\.SunDownloadManager
[2012/11/07 18:24:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bob\Recent
[2012/11/07 18:23:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 7
[2012/11/07 18:22:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/11/07 18:05:38 | 000,000,000 | ---D | C] -- C:\Program Files\Intel
[2012/11/06 22:48:40 | 000,000,000 | ---D | C] -- C:\Program Files\Device Doctor
[2012/11/06 22:48:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Application Data\Device Doctor
[2012/11/06 22:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Sun
[2012/11/06 22:39:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Downloaded Installers
[2012/11/06 22:16:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java(2)
[2012/11/06 21:01:10 | 000,000,000 | ---D | C] -- C:\Program Files\NETGEAR
[2012/11/06 06:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/11/05 19:38:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/10/20 22:16:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/10/20 21:07:40 | 000,000,000 | ---D | C] -- C:\Program Files\SpyShelter Personal Free
[2012/10/20 21:07:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Application Data\SpyShelter
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/07 21:07:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/11/07 21:07:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/11/07 19:51:13 | 000,000,450 | ---- | M] () -- C:\user.js
[2012/11/07 18:28:27 | 000,441,740 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/11/07 18:28:27 | 000,071,674 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/10/12 06:14:41 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/07 19:51:13 | 000,000,450 | ---- | C] () -- C:\user.js
[2012/02/16 13:11:18 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/24 20:59:16 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\01ep2102e00gjmc81qytg15t51b25n3o
[2011/12/24 20:59:16 | 000,015,672 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\01ep2102e00gjmc81qytg15t51b25n3o
[2011/07/02 13:31:04 | 002,784,050 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/03/05 15:31:38 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/20 01:11:03 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\ClientUpdate.exe
[2010/11/13 21:12:52 | 000,293,992 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2010/11/13 21:12:50 | 000,293,992 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2010/11/13 21:12:50 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2010/01/24 21:00:39 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2009/05/05 18:01:40 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Bob\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2009/03/31 00:15:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 18:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< %AppData%\Roaming\Mozilla\Firefox\Profiles\*.default\extensions\ /s /md5 >

< %AppData%\Local\ >

< %systemroot%\system32\sysprep >

< *.xpi /md5 >

< %systemroot%\Downloaded Program Files\ >

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile >
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ShowIconsCommand: "C:\Program Files\Opera\Opera.exe" /ShowIconsCommand [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\HideIconsCommand: "C:\Program Files\Opera\Opera.exe" /HideIconsCommand [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ReinstallCommand: "C:\Program Files\Opera\Opera.exe" /ReInstallBrowser [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\shell\open\command\\: "C:\Program Files\Opera\Opera.exe" [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command\\: "C:\Program Files\Opera\Opera.exe" [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012/09/06 23:18:38 | 000,883,896 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012/09/06 23:18:39 | 000,917,984 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2012/08/28 06:07:34 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ShowIconsCommand: "C:\Program Files\Opera\Opera.exe" /ShowIconsCommand [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\HideIconsCommand: "C:\Program Files\Opera\Opera.exe" /HideIconsCommand [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\InstallInfo\\ReinstallCommand: "C:\Program Files\Opera\Opera.exe" /ReInstallBrowser [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera\shell\open\command\\: "C:\Program Files\Opera\Opera.exe" [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Opera.exe\shell\open\command\\: "C:\Program Files\Opera\Opera.exe" [2012/08/31 20:47:46 | 000,874,896 | ---- | M] (Opera Software)

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\system32\drivers\*.sys /90 >

< %systemroot%\System32\config\*.sav >
[2007/02/09 13:17:12 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2007/02/09 13:17:12 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2007/02/09 13:17:12 | 000,884,736 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %SYSTEMDRIVE%\*.exe /md5 >

< "%WinDir%\$NtUninstallKB*$." /30 >

< %systemdrive%\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\Installer\ /s >

< %systemroot%\system32\Cache\ /s >

< %systemroot%\system32\config\systemprofile\ /s >

< %PROGRAMFILES%\*. >
[2012/08/05 12:25:18 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2012/11/07 18:16:34 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2009/07/10 20:59:26 | 000,000,000 | ---D | M] -- C:\Program Files\ASUS
[2009/06/22 21:43:51 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2012/05/22 16:40:09 | 000,000,000 | ---D | M] -- C:\Program Files\Avira
[2012/11/06 22:07:22 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2012/11/07 18:22:43 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2007/02/09 19:23:10 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2012/11/07 18:22:30 | 000,000,000 | ---D | M] -- C:\Program Files\Device Doctor
[2011/04/03 23:51:52 | 000,000,000 | ---D | M] -- C:\Program Files\Full Tilt Poker
[2012/11/06 22:47:18 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2012/11/07 18:05:38 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2012/09/22 06:16:54 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2012/11/06 22:16:06 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/06/28 17:30:42 | 000,000,000 | ---D | M] -- C:\Program Files\KingsIsle Entertainment
[2008/12/06 14:45:48 | 000,000,000 | ---D | M] -- C:\Program Files\Lavasoft
[2010/01/31 15:16:33 | 000,000,000 | ---D | M] -- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
[2012/11/07 18:24:11 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/08/14 01:10:31 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2007/02/09 19:26:02 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/07/04 13:40:59 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2012/05/09 21:14:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2011/05/07 16:22:50 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/08/11 18:51:14 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2012/11/07 20:11:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2012/11/07 18:24:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Maintenance Service
[2009/03/31 00:16:29 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2007/12/24 11:23:51 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2007/02/09 19:22:18 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007/02/09 19:22:48 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2012/11/06 21:01:10 | 000,000,000 | ---D | M] -- C:\Program Files\NETGEAR
[2008/06/04 18:44:03 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/03/10 20:08:10 | 000,000,000 | ---D | M] -- C:\Program Files\Network Associates
[2012/05/04 22:49:53 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2012/11/07 18:22:38 | 000,000,000 | ---D | M] -- C:\Program Files\Opera
[2011/09/28 08:52:00 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook
[2010/12/15 21:54:01 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/03/29 01:19:36 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2012/04/04 10:14:49 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Online Entertainment
[2012/11/07 18:24:09 | 000,000,000 | ---D | M] -- C:\Program Files\SpyShelter Personal Free
[2011/10/08 19:07:01 | 000,000,000 | ---D | M] -- C:\Program Files\StreamTorrent 1.0
[2011/12/15 08:19:11 | 000,000,000 | ---D | M] -- C:\Program Files\SystemRequirementsLab
[2012/05/24 06:42:39 | 000,000,000 | ---D | M] -- C:\Program Files\TeamViewer
[2011/06/06 13:11:40 | 000,000,000 | ---D | M] -- C:\Program Files\True Poker
[2011/05/14 00:12:25 | 000,000,000 | ---D | M] -- C:\Program Files\TruePoker
[2007/02/09 19:32:08 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2012/01/02 17:55:29 | 000,000,000 | ---D | M] -- C:\Program Files\Veetle
[2010/06/06 15:12:04 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Safety Center
[2008/06/04 18:44:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/06/04 18:44:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/01/25 22:38:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2009/01/02 21:50:32 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2012/11/07 20:18:17 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2012/11/07 20:25:17 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2007/02/09 19:26:02 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2007/02/09 13:18:30 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Bob\Application Data\desktop.ini

< MD5 for: AFD.SYS >
[2011/08/17 07:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\dllcache\afd.sys
[2011/08/17 07:49:54 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=1E44BC1E83D8FD2305F8D452DB109CF9 -- C:\WINDOWS\system32\drivers\afd.sys
[2008/04/13 13:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2008/04/13 13:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2011/02/16 07:22:48 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=355556D9E580915118CD7EF736653A89 -- C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2008/10/16 09:07:58 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=38D7B715504DA4741DF35E3594FE2099 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008/08/14 04:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2004/08/12 08:55:46 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=5AC495F4CB807B2B98AD2AD591E6D92E -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008/10/16 08:43:01 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7618D5218F2A614672EC61A80D854A37 -- C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2008/08/14 04:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011/02/16 07:25:05 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=8D499B1276012EB907E7A9E0F4D8FDA4 -- C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2008/06/20 05:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008/06/20 05:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2011/08/17 07:41:46 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=F6B7B1ECD7B41736BDB6FF4B092BCB79 -- C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys

< MD5 for: ATAPI.SYS >
[2004/08/12 09:06:16 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/06/04 18:41:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/06/04 18:41:20 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 16:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: CRYPTSVC.DLL >
[2004/08/12 08:56:36 | 000,060,416 | ---- | M] (Microsoft Corporation) MD5=10654F9DDCEA9C46CFB77554231BE73B -- C:\WINDOWS\$NtServicePackUninstall$\cryptsvc.dll
[2008/04/13 18:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\ServicePackFiles\i386\cryptsvc.dll
[2008/04/13 18:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\system32\cryptsvc.dll
[2008/04/13 18:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) MD5=3D4E199942E29207970E04315D02AD3B -- C:\WINDOWS\system32\dllcache\cryptsvc.dll

< MD5 for: DNSRSLVR.DLL >
[2008/04/13 18:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=474B4DC3983173E4B4C9740B0DAC98A6 -- C:\WINDOWS\$NtUninstallKB2509553$\dnsrslvr.dll
[2008/04/13 18:11:52 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=474B4DC3983173E4B4C9740B0DAC98A6 -- C:\WINDOWS\ServicePackFiles\i386\dnsrslvr.dll
[2009/04/20 11:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=5F7E24FA9EAB896051FFB87F840730D2 -- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
[2009/04/20 11:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=5F7E24FA9EAB896051FFB87F840730D2 -- C:\WINDOWS\system32\dnsrslvr.dll
[2008/02/20 12:49:36 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=6333C7E182E5B6247500188D28214DEF -- C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
[2004/08/12 08:56:58 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=7379DE06FD196E396A00AA97B990C00D -- C:\WINDOWS\$NtUninstallKB945553$\dnsrslvr.dll
[2008/02/19 23:32:43 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=AAC8FFBFD61E784FA3BAC851D4A0BD5F -- C:\WINDOWS\$NtServicePackUninstall$\dnsrslvr.dll
[2009/04/20 11:06:44 | 000,045,568 | ---- | M] (Microsoft Corporation) MD5=D977659AE4D8ECE5286D99D1ED34614D -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\dnsrslvr.dll

< MD5 for: ES.DLL >
[2008/04/13 18:11:53 | 000,246,272 | ---- | M] (Microsoft Corporation) MD5=19A799805B24990867B00C120D300C3A -- C:\WINDOWS\$NtUninstallKB950974$\es.dll
[2008/04/13 18:11:53 | 000,246,272 | ---- | M] (Microsoft Corporation) MD5=19A799805B24990867B00C120D300C3A -- C:\WINDOWS\ServicePackFiles\i386\es.dll
[2005/07/25 22:39:45 | 000,243,200 | ---- | M] (Microsoft Corporation) MD5=34BBD9ACC1538818F2C878898C64E793 -- C:\WINDOWS\$NtServicePackUninstall$\es.dll
[2005/07/25 22:20:28 | 000,243,200 | ---- | M] (Microsoft Corporation) MD5=95F5FEA4C6DE2C3F28784D0DCC8F0DD3 -- C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll
[2004/08/12 08:57:16 | 000,243,200 | ---- | M] (Microsoft Corporation) MD5=ACD36A2DD7D1E9D8A060AA651DC07E63 -- C:\WINDOWS\$NtUninstallKB902400$\es.dll
[2008/07/07 14:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=D4991D98F2DB73C60D042F1AEF79EFAE -- C:\WINDOWS\system32\es.dll
[2008/07/07 14:23:18 | 000,253,952 | ---- | M] (Microsoft Corporation) MD5=F17F6226BDC0CD5F0BEF0DAF84D29BEC -- C:\WINDOWS\$hf_mig$\KB950974\SP3QFE\es.dll

< MD5 for: EXPLORER.EXE >
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 05:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 04:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/12 08:57:20 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: IPNATHLP.DLL >
[2004/08/12 08:58:10 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=36CC8C01B5E50163037BEF56CB96DEFF -- C:\WINDOWS\$NtServicePackUninstall$\ipnathlp.dll
[2008/04/13 18:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=83F41D0D89645D7235C051AB1D9523AC -- C:\WINDOWS\ServicePackFiles\i386\ipnathlp.dll
[2008/04/13 18:11:55 | 000,331,264 | ---- | M] (Microsoft Corporation) MD5=83F41D0D89645D7235C051AB1D9523AC -- C:\WINDOWS\system32\ipnathlp.dll

< MD5 for: IPSEC.SYS >
[2008/04/13 13:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\ServicePackFiles\i386\ipsec.sys
[2008/04/13 13:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\dllcache\ipsec.sys
[2008/04/13 13:19:42 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=23C74D75E36E7158768DD63D92789A91 -- C:\WINDOWS\system32\drivers\ipsec.sys
[2004/08/12 08:58:14 | 000,074,752 | ---- | M] (Microsoft Corporation) MD5=64537AA5C003A6AFEEE1DF819062D0D1 -- C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys

< MD5 for: NETBT.SYS >
[2004/08/12 09:01:48 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=0C80E410CD2F47134407EE7DD19CC86B -- C:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2008/04/13 13:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008/04/13 13:21:00 | 000,162,816 | ---- | M] (Microsoft Corporation) MD5=74B2B2F5BEA5E9A3DC021D685551BD3D -- C:\WINDOWS\system32\drivers\netbt.sys

< MD5 for: NETMAN.DLL >
[2008/04/13 18:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=13E67B55B3ABD7BF3FE7AAE5A0F9A9DE -- C:\WINDOWS\ServicePackFiles\i386\netman.dll
[2008/04/13 18:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=13E67B55B3ABD7BF3FE7AAE5A0F9A9DE -- C:\WINDOWS\system32\netman.dll
[2005/08/22 12:24:55 | 000,197,632 | ---- | M] (Microsoft Corporation) MD5=3516D8A18B36784B1005B950B84232E1 -- C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll
[2005/08/22 12:29:46 | 000,197,632 | ---- | M] (Microsoft Corporation) MD5=36739B39267914BA69AD0610A0299732 -- C:\WINDOWS\$NtServicePackUninstall$\netman.dll
[2004/08/12 09:02:02 | 000,198,144 | ---- | M] (Microsoft Corporation) MD5=DAB9E6C7105D2EF49876FE92C524F565 -- C:\WINDOWS\$NtUninstallKB905414$\netman.dll

< MD5 for: QMGR.DLL >
[2004/08/12 09:03:54 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\$NtServicePackUninstall$\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ServicePackFiles\i386\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\bits\qmgr.dll
[2008/04/13 18:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: RPCSS.DLL >
[2008/04/13 18:12:04 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=2589FE6015A316C0F5D5112B4DA7B509 -- C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2008/04/13 18:12:04 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=2589FE6015A316C0F5D5112B4DA7B509 -- C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2004/08/12 09:04:26 | 000,395,776 | ---- | M] (Microsoft Corporation) MD5=5C83A4408604F737717AB96371201680 -- C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll
[2009/02/09 06:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=6B27A5C03DFB94B4245739065431322C -- C:\WINDOWS\system32\rpcss.dll
[2009/02/09 04:56:36 | 000,401,408 | ---- | M] (Microsoft Corporation) MD5=9222562D44021B988B9F9F62207FB6F2 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2005/07/25 22:20:40 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=C369DF215D352B6F3A0B8C3469AA34F8 -- C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[2005/04/28 13:31:11 | 000,395,776 | ---- | M] (Microsoft Corporation) MD5=C8061F289E000703E7672916B7FE1571 -- C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll
[2005/07/25 22:39:49 | 000,397,824 | ---- | M] (Microsoft Corporation) MD5=CE94A2BD25E3E9F4D46A7373FF455C6D -- C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2005/04/28 13:35:01 | 000,396,288 | ---- | M] (Microsoft Corporation) MD5=DA383FB39A6F1C445F3AFC94B3EB1248 -- C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll

< MD5 for: SERVICES.EXE >
[2009/02/06 05:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 18:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 18:12:34 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 05:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/12 09:05:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SR.SYS >
[2008/04/13 12:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\ServicePackFiles\i386\sr.sys
[2008/04/13 12:36:52 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=76BB022C2FB6902FD5BDD4F78FC13A5D -- C:\WINDOWS\system32\drivers\sr.sys
[2004/08/12 09:06:28 | 000,073,472 | ---- | M] (Microsoft Corporation) MD5=E41B6D037D6CD08461470AF04500DC24 -- C:\WINDOWS\$NtServicePackUninstall$\sr.sys

< MD5 for: SRSVC.DLL >
[2008/04/13 18:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\ServicePackFiles\i386\srsvc.dll
[2008/04/13 18:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) MD5=3805DF0AC4296A34BA4BF93B346CC378 -- C:\WINDOWS\system32\srsvc.dll
[2004/08/12 09:06:30 | 000,170,496 | ---- | M] (Microsoft Corporation) MD5=92BDF74F12D6CBEC43C94D4B7F804838 -- C:\WINDOWS\$NtServicePackUninstall$\srsvc.dll

< MD5 for: SVCHOST.EXE >
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/07/03 12:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004/08/12 09:06:50 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: TCPIP.SYS >
[2006/04/20 05:51:50 | 000,359,808 | ---- | M] (Microsoft Corporation) MD5=1DBF125862891817F374F407626967F4 -- C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
[2007/10/30 10:53:32 | 000,360,832 | ---- | M] (Microsoft Corporation) MD5=64798ECFA43D78C7178375FCDD16D8C8 -- C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[2007/10/30 11:20:55 | 000,360,064 | ---- | M] (Microsoft Corporation) MD5=90CAFF4B094573449A0872A0F919B178 -- C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
[2008/04/13 13:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
[2008/04/13 13:20:16 | 000,361,344 | ---- | M] (Microsoft Corporation) MD5=93EA8D04EC73A85DB02EB8805988F733 -- C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
[2008/06/20 05:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\dllcache\tcpip.sys
[2008/06/20 05:51:12 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=9AEFA14BD6B182D61E3119FA5F436D3D -- C:\WINDOWS\system32\drivers\tcpip.sys
[2004/08/12 09:07:10 | 000,359,040 | ---- | M] (Microsoft Corporation) MD5=9F4B36614A0FC234525BA224957DE55C -- C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
[2008/06/20 05:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[2008/06/20 05:59:02 | 000,361,600 | ---- | M] (Microsoft Corporation) MD5=AD978A1B783B5719720CFF204B666C8E -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[2006/04/20 06:18:35 | 000,360,576 | ---- | M] (Microsoft Corporation) MD5=B2220C618B42A2212A59D91EBD6FC4B4 -- C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys

< MD5 for: USERINIT.EXE >
[2004/08/12 09:08:08 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 12:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 12:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/12 09:08:36 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/12 09:09:30 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/07/03 12:46:42 | 000,217,672 | ---- | M] () MD5=8A7F34F0BBD076EC3815680A7309114F -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WMISVC.DLL >
[2008/04/13 18:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=2D0E4ED081963804CCC196A0929275B5 -- C:\WINDOWS\ServicePackFiles\i386\wmisvc.dll
[2008/04/13 18:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=2D0E4ED081963804CCC196A0929275B5 -- C:\WINDOWS\system32\wbem\wmisvc.dll
[2004/08/12 09:10:02 | 000,144,896 | ---- | M] (Microsoft Corporation) MD5=F399242A80C4066FD155EFA4CF96658E -- C:\WINDOWS\$NtServicePackUninstall$\wmisvc.dll

< MD5 for: WSCSVC.DLL >
[2004/08/12 09:10:30 | 000,081,408 | ---- | M] (Microsoft Corporation) MD5=4D59DAA66C60858CDF4F67A900F42D4A -- C:\WINDOWS\$NtServicePackUninstall$\wscsvc.dll
[2008/04/13 18:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\ServicePackFiles\i386\wscsvc.dll
[2008/04/13 18:12:10 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=7C278E6408D1DCE642230C0585A854D5 -- C:\WINDOWS\system32\wscsvc.dll

< MD5 for: WUAUSERV.DLL >
[2004/08/12 09:10:42 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=13D72740963CBA12D9FF76A7F218BCD8 -- C:\WINDOWS\$NtServicePackUninstall$\wuauserv.dll
[2008/04/13 18:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- C:\WINDOWS\ServicePackFiles\i386\wuauserv.dll
[2008/04/13 18:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=35321FB577CDC98CE3EB3A3EB9E4610A -- C:\WINDOWS\system32\wuauserv.dll

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C43ED645

< End of report >

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 4:08 am

# AdwCleaner v2.007 - Logfile created 11/07/2012 at 22:03:31
# Updated 06/11/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Bob - WARCRAFT
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Bob\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\MyStart Search.xml
File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\vshare@toolbar
Folder Deleted : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\FCTB
Folder Deleted : C:\Documents and Settings\Bob\Application Data\vShare
Folder Deleted : C:\Documents and Settings\Bob\Local Settings\Application Data\iBryte
Folder Deleted : C:\Documents and Settings\Bob\Local Settings\Application Data\Wajam

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\IB Updater
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{336D0C35-8A85-403a-B9D2-65C292C39087}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9639E4A-801B-4843-AEE3-03D9DA199E77}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403a-B9D2-65C292C39087}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9639E4A-801B-4843-AEE3-03D9DA199E77}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD6D90C0-E6EE-4BC6-B9F7-9ED319698007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\PIP
Key Deleted : HKCU\Software\vShare
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\AxSHDocVw.AxWebBrowser
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6823F25B-4D75-38A1-A163-7C696B45701F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{20ED5AF7-D9C4-409E-9EB3-D2A44A77FB6D}
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3E315C81-442B-431C-AEC8-ED189699EC24}
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol
Key Deleted : HKLM\SOFTWARE\Classes\vShare.IMedixProtocol.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\vShare.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers
Key Deleted : HKLM\SOFTWARE\Classes\vShare.ScriptHelpers.1
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp
Key Deleted : HKLM\Software\IB Updater
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3B7599DF-3D5D-4EF5-BF51-9C2EDA788E83}
Key Deleted : HKLM\Software\PIP
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{043C5167-00BB-4324-AF7E-62013FAEDACF}]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\prefs.js

C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\user.js ... Deleted !

Deleted : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb185?a=6R8KzWemip&i=26");
Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");
Deleted : user_pref("browser.search.selectedEngine", "MyStart Search");
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.cntry", "US");
Deleted : user_pref("extensions.incredibar.dfltLng", "");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.did", "10678");
Deleted : user_pref("extensions.incredibar.envrmnt", "production");
Deleted : user_pref("extensions.incredibar.excTlbr", false);
Deleted : user_pref("extensions.incredibar.hdrMd5", "C6075E93239C413D519E43900FD799BC");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.id", "5e7c08c0000000000000001ee5fc174f");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15652");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.isDcmntCmplt", true);
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.1419:51:13");
Deleted : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "111");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8KzWemip&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6R8KzWemip");
Deleted : user_pref("extensions.incredibar.upn2n", "92825363526366237");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.11.1419:51:13");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10678");
Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
Deleted : user_pref("extensions.incredibar_i.id", "5e7c08c0000000000000001ee5fc174f");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15652");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "111");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8KzWemip&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6R8KzWemip");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92825363526366237");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1419:51:13");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.DNSCatch", false);
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.FirstLaunchShown", true);
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.LastDate", 10);
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.customNewTab", false);
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.processAddrBar", false);
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.tb_lang", "en");
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.user_id", "38318643");
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.vars.disablecuidinject", "1");
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.vars.lastcheck", "Thu%20Nov%2010%202011%2011%3A[...]
Deleted : user_pref("freecause70263cf9d46a4be4adc629500ba884e1.yahooSearch", false);
Deleted : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6R8KzWemip&&i=26&search="[...]

-\\ Opera v12.2.1578.0

File : C:\Documents and Settings\Bob\Application Data\Opera\Opera\operaprefs.ini

Deleted : Home URL=hxxp://mystart.incredibar.com/mb185?a=6R8KzWemip&i=26

*************************

AdwCleaner[S1].txt - [11120 octets] - [07/11/2012 22:03:31]

########## EOF - C:\AdwCleaner[S1].txt - [11181 octets] ##########

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 4:09 am

OTL Extras logfile created on: 11/7/2012 9:35:36 PM - Run 1
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Documents and Settings\Bob\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.50 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.84 Gb Paging File | 4.50 Gb Available in Paging File | 92.98% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 74.80 Gb Free Space | 58.44% Space Free | Partition Type: NTFS

Computer Name: WARCRAFT | User Name: Bob | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Unable to open value key File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Unable to open value key
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Unable to open value key
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Enabled:VeetleNet -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Quake2\r1q2.exe" = C:\Quake2\r1q2.exe:*:Enabled:R1Q2 - Enhanced Quake II Client/Server -- (r1ch.net)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Turbine\The Lord of the Rings Online\lotroclient.exe" = C:\Program Files\Turbine\The Lord of the Rings Online\lotroclient.exe:*:Disabled:lotroclient
"C:\WINDOWS\system32\sessmgr.exe" = C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe" = C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe:*:Disabled:TurbineMessageService
"C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe" = C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe:*:Disabled:TurbineNetworkService
"C:\Documents and Settings\Bob\Local Settings\temp\wz125a\Repair.exe" = C:\Documents and Settings\Bob\Local Settings\temp\wz125a\Repair.exe:*:Enabled:Blizzard Repair Utility
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Sony Online Entertainment\Station Launcher\main\VivoxVoiceService.exe" = C:\Program Files\Sony Online Entertainment\Station Launcher\main\VivoxVoiceService.exe:*:Enabled:VivoxVoiceService
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Safari\Safari.exe" = C:\Program Files\Safari\Safari.exe:*:Enabled:Safari
"C:\WINDOWS\network diagnostic\xpnetdiag.exe" = C:\WINDOWS\network diagnostic\xpnetdiag.exe:*:Enabled:Network Diagnostic for Windows XP -- (Microsoft Corporation)
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" = C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (Network Associates, Inc.)
"C:\Program Files\StreamTorrent 1.0\StreamTorrent.exe" = C:\Program Files\StreamTorrent 1.0\StreamTorrent.exe:*:Enabled:StreamTorrent Media Player -- (StreamTorrent)
"C:\Program Files\World of Warcraft\wow-2.1.1.1897-enUS-tools-downloader.exe" = C:\Program Files\World of Warcraft\wow-2.1.1.1897-enUS-tools-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Launcher.patch.exe" = C:\Program Files\World of Warcraft\Launcher.patch.exe:*:Enabled:Blizzard Launcher
"C:\Documents and Settings\Bob\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] = C:\Documents and Settings\Bob\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] add-in for Adobe Flash Player -- (Octoshape ApS)
"C:\Program Files\World of Warcraft\Blizzard Downloader.exe" = C:\Program Files\World of Warcraft\Blizzard Downloader.exe:*:Enabled:Blizzard Downloader
"C:\Program Files\iBryte\browseforchange\ibrytedesktop.exe" = C:\Program Files\iBryte\browseforchange\ibrytedesktop.exe:*:Enabled:iBryteDesktop
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\Veetle\Player\VeetleNet.exe" = C:\Program Files\Veetle\Player\VeetleNet.exe:*:Enabled:VeetleNet -- ()
"C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2727-enUS-tools-downloader.exe" = C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2727-enUS-tools-downloader.exe:*:Enabled:wow-4.2.1.2727-enUS-tools-downloader
"C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2730-enUS-tools-downloader.exe" = C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2730-enUS-tools-downloader.exe:*:Enabled:wow-4.2.1.2730-enUS-tools-downloader.exe
"C:\Program Files\Sony Online Entertainment\Installed Games\EverQuest\EQVoiceService.exe" = C:\Program Files\Sony Online Entertainment\Installed Games\EverQuest\EQVoiceService.exe:*:Enabled:EQVoiceService -- (Vivox Inc.)
"C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2736-enUS-tools-downloader.exe" = C:\Program Files\World of Warcraft\Temp\wow-4.2.1.2736-enUS-tools-downloader.exe:*:Enabled:wow-4.2.1.2736-enUS-tools-downloader
"C:\Program Files\TeamViewer\Version7\TeamViewer.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)
"C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe" = C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe:*:Enabled:Opera Internet Browser - Plugin wrapper
"C:\Program Files\World of Warcraft\Temp\WoW-4.3-5.0.15890-enUS-Downloader.exe" = C:\Program Files\World of Warcraft\Temp\WoW-4.3-5.0.15890-enUS-Downloader.exe:*:Enabled:WoW-4.3-5.0.15890-enUS-Downloader
"C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1040\Agent.exe" = C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1040\Agent.exe:*:Enabled:Blizzard Agent
"C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1267\Agent.exe" = C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1267\Agent.exe:*:Enabled:Battle.net Update Agent -- (Blizzard Entertainment)
"C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1363\Agent.exe" = C:\Documents and Settings\All Users\Application Data\Battle.net\Agent\Agent.1363\Agent.exe:*:Enabled:Battle.net Update Agent -- (Blizzard Entertainment)
"C:\WINDOWS\system32\dmwu.exe" = C:\WINDOWS\system32\dmwu.exe:*:Enabled:dmwu
"C:\WINDOWS\system32\ARFC\wrtc.exe" = C:\WINDOWS\system32\ARFC\wrtc.exe:*:Enabled:wrtc


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 24
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{718CF0D3-DCDF-428E-9F6C-258F065C8D6D}" = McAfee Desktop Firewall 8.5
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{943A8D28-80D6-41DC-AE94-81FEB42041BF}" = System Requirements Lab CYRI
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}" = Wizard101
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B2FE1952-0186-46c3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 296.10
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 136.18
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"9A147762-0190-4F8B-B8C9-64A6A6838F5C" = True Poker
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Avira AntiVir Desktop" = Avira Free Antivirus
"CCleaner" = CCleaner
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft.Net.Client.3.5" = Microsoft .NET Framework Client Profile - PREVIEW
"Mozilla Firefox 15.0.1 (x86 en-US)" = Mozilla Firefox 15.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Opera 12.02.1578" = Opera 12.02
"Quake2UninstallKey" = Quake II
"RCA Detective™_is1" = RCA Detective™ 3.0.3.0
"RCA easyRip_is1" = RCA easyRip 2.5.7.0
"RCA Updater_is1" = RCA Updater 2.1.7.0
"StreamTorrent 1.0" = StreamTorrent 1.0
"SystemRequirementsLab" = System Requirements Lab
"TeamViewer 7" = TeamViewer 7
"Veetle TV" = Veetle TV
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player
"SOE-EverQuest" = EverQuest
"SOE-EverQuest (2)" = EverQuest (2)

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/5/2012 12:47:58 AM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/5/2012 12:48:10 AM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/5/2012 12:51:06 AM | Computer Name = WARCRAFT | Source = MsiInstaller | ID = 11714
Description = Product: NVIDIA PhysX -- Error 1714. The older version of NVIDIA PhysX
cannot be removed. Contact your technical support group. System Error 1612.

Error - 5/5/2012 12:51:43 AM | Computer Name = WARCRAFT | Source = MsiInstaller | ID = 11714
Description = Product: NVIDIA PhysX -- Error 1714. The older version of NVIDIA PhysX
cannot be removed. Contact your technical support group. System Error 1612.

Error - 5/12/2012 1:45:41 PM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/12/2012 1:45:48 PM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/26/2012 8:23:32 PM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/26/2012 8:23:32 PM | Computer Name = WARCRAFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/28/2012 10:29:44 PM | Computer Name = WARCRAFT | Source = Application Error | ID = 1000
Description = Faulting application avconfig.exe, version 12.3.0.28, faulting module
hhctrl.ocx, version 5.2.3790.4110, fault address 0x00013004.

Error - 8/28/2012 10:30:07 PM | Computer Name = WARCRAFT | Source = Application Error | ID = 1000
Description = Faulting application avcenter.exe, version 12.3.0.15, faulting module
hhctrl.ocx, version 5.2.3790.4110, fault address 0x00013004.

[ System Events ]
Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:17:50 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 11/7/2012 10:22:31 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 11/7/2012 10:22:31 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7024
Description = The Avira Realtime Protection service terminated with service-specific
error 306 (0x132).

Error - 11/7/2012 11:07:42 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7000
Description = The ASInsHelp service failed to start due to the following error:
%%2

Error - 11/7/2012 11:07:42 PM | Computer Name = WARCRAFT | Source = Service Control Manager | ID = 7024
Description = The Avira Realtime Protection service terminated with service-specific
error 306 (0x132).


< End of report >

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 8th November 2012, 4:46 am

Hello, and welcome to GeekPolice.

I'm Rodel Itrualde and I will be helping you with your issues.

Please note the following information about the malware forum:

  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or see [You must be registered and logged in to see this link.]

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


I am a student and will need to get approval prior to each step. I will return shortly with the first step.



Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 8th November 2012, 11:21 am

Hey bobu,

Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTL
    IE - HKCU\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = [You must be registered and logged in to see this link.]
    IE - HKCU\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = [You must be registered and logged in to see this link.]
    FF - prefs.js..browser.search.defaultenginename: "MyStart Search"
    FF - prefs.js..browser.search.selectedEngine: "MyStart Search"
    FF - prefs.js..extensions.enabledAddons: [You must be registered and logged in to see this link.]:0.2
    FF - prefs.js..keyword.URL: "http://mystart.incredibar.com/mb185/?loc=IB_DS&a=6R8KzWemip&&i=26&search="
    [2012/07/17 06:20:43 | 000,000,000 | ---D | M] (ShopToWin12) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}
    [2011/07/02 16:25:56 | 000,000,000 | ---D | M] (Browse For Change) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com
    [2010/12/03 22:48:49 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\vshare@toolbar
    [2010/08/15 18:16:02 | 000,001,954 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\bing-zugo.xml
    [2011/07/02 16:25:56 | 000,002,230 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\iBryte_browseforchange.xml
    [2012/11/07 19:51:02 | 000,002,203 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\MyStart Search.xml
    O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
    O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\Webbrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll File not found
    O4 - HKLM..\Run: [iBryte browseforchange Desktop] C:\Program Files\iBryte\browseforchange\ibrytedesktop.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
    O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
    O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
    O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
    O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll File not found
    [2012/11/07 19:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bob\Local Settings\Application Data\Wajam

    :Commands
    [EmptyFlash]
    [Reboot]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=====

Also please download aswMBR from [You must be registered and logged in to see this link.].

  • Save aswMBR.exe to your Desktop.
  • Double click aswMBR.exe to run it.
  • Click the Scan button to start the scan as illustrated below.




Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are [You must be registered and logged in to see this link.].


  • Once the scan finishes click Save log to save the log to your Desktop.


  • Copy and paste the contents of aswMBR.txt back here for review.


=====

In your reply please post the contents of the following logs:
  • OTL fix log.
  • aswMBR.txt.


Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 11:58 am

I ran the OTL but rebooted before I got the log.

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 5:19 pm

Do I need to run the OTL again?

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 8th November 2012, 8:38 pm

Hey bobu,

You should find the log at: C:\_OTL\MovedFiles or similar.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 10:36 pm

========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}\ not found.
Prefs.js: "MyStart Search" removed from browser.search.defaultenginename
Prefs.js: "MyStart Search" removed from browser.search.selectedEngine
Prefs.js: [You must be registered and logged in to see this link.]:0.2 removed from extensions.enabledAddons
Prefs.js: "http://mystart.incredibar.com/mb185/?loc=IB_DS&a=6R8KzWemip&&i=26&search=" removed from keyword.URL
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}\META-INF folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}\chrome\skin folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}\chrome\content\locale folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}\chrome\content folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1}\chrome folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\{70263cf9-d46a-4be4-adc6-29500ba884e1} folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com\chrome\content\images folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com\chrome\content\charity folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com\chrome\content folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com\chrome folder moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\browseforchange@browseforchange.com folder moved successfully.
Folder C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\extensions\vshare@toolbar\ not found.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\bing-zugo.xml moved successfully.
C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\iBryte_browseforchange.xml moved successfully.
File C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ncwupgmk.default\searchplugins\MyStart Search.xml not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{043C5167-00BB-4324-AF7E-62013FAEDACF} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{06C7AD57-B655-418D-9AB8-9526A6D2E052} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06C7AD57-B655-418D-9AB8-9526A6D2E052}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser\\{043C5167-00BB-4324-AF7E-62013FAEDACF} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iBryte browseforchange Desktop deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clonewarsadventures.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\freerealms.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\soe.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\sony.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\vsharechrome\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}\ not found.
File {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll File not found not found.
Folder C:\Documents and Settings\Bob\Local Settings\Application Data\Wajam\ not found.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Bob
->Flash cache emptied: 1233806 bytes

User: Default User

User: LocalService
->Flash cache emptied: 492 bytes

User: NetworkService
->Flash cache emptied: 610 bytes

Total Flash Files Cleaned = 1.00 mb


OTL by OldTimer - Version 3.2.70.1 log created on 11082012_055021

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 8th November 2012, 10:39 pm

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-08 16:37:20
-----------------------------
16:37:20.765 OS Version: Windows 5.1.2600 Service Pack 3
16:37:20.765 Number of processors: 2 586 0x403
16:37:20.765 ComputerName: WARCRAFT UserName: Bob
16:37:21.250 Initialize success
16:37:46.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:37:46.859 Disk 0 Vendor: WDC_WD16 02.0 Size: 152627MB BusType: 3
16:37:46.859 Disk 0 MBR read successfully
16:37:46.859 Disk 0 MBR scan
16:37:46.859 Disk 0 Windows XP default MBR code
16:37:46.859 Disk 0 MBR hidden
16:37:46.859 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 131069 MB offset 63
16:37:46.859 Disk 0 scanning sectors +268430085
16:37:46.906 Disk 0 scanning C:\WINDOWS\system32\drivers
16:37:51.562 Service scanning
16:37:59.453 Modules scanning
16:38:03.421 Disk 0 trace - called modules:
16:38:03.437 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x898874b1]<<
16:38:03.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa05ab8]
16:38:03.437 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x88cb4030]
16:38:03.437 \Driver\iastor[0x89fff8a0] -> IRP_MJ_CREATE -> 0x898874b1
16:38:03.437 Scan finished successfully
16:38:11.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob\Desktop\MBR.dat"
16:38:11.796 The log file has been saved successfully to "C:\Documents and Settings\Bob\Desktop\aswMBR.txt"

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 9th November 2012, 11:25 am

Hey bobu,

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.



Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 9th November 2012, 2:29 pm

GMER 1.0.15.15641 - [You must be registered and logged in to see this link.]
Rootkit scan 2012-11-09 08:27:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.02.0
Running: gmer.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\pxloqpob.sys


---- System - GMER 1.0.15 ----

SSDT A8CE61E4 ZwClose
SSDT A8CE619E ZwCreateKey
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.) ZwCreateProcess [0xA84A2FE0]
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.) ZwCreateProcessEx [0xA84A3090]
SSDT A8CE61EE ZwCreateSection
SSDT A8CE6194 ZwCreateThread
SSDT A8CE61A3 ZwDeleteKey
SSDT A8CE61AD ZwDeleteValueKey
SSDT A8CE61DF ZwDuplicateObject
SSDT A8CE61B2 ZwLoadKey
SSDT A8CE6180 ZwOpenProcess
SSDT A8CE6185 ZwOpenThread
SSDT A8CE6207 ZwQueryValueKey
SSDT A8CE61BC ZwReplaceKey
SSDT A8CE61F8 ZwRequestWaitReplyPort
SSDT A8CE61B7 ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.) ZwResumeThread [0xA84A2EB0]
SSDT A8CE61F3 ZwSetContextThread
SSDT A8CE61FD ZwSetSecurityObject
SSDT A8CE61A8 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\Drivers\FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.) ZwSuspendThread [0xA84A2E30]
SSDT A8CE6202 ZwSystemDebugControl
SSDT A8CE618F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5D5E3C0, 0x95B7EA, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB5BEBF80]
init C:\WINDOWS\system32\Drivers\FireTDI.sys entry point in "init" section [0xA84A7000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 001A3AA9
.text C:\WINDOWS\System32\svchost.exe[1088] ntdll.dll!RtlRaiseException 7C90E528 5 Bytes JMP 001A3CC9
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 001A45B6
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 001A4617
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 001A4687
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!IsWindowVisible 7E429E3D 5 Bytes JMP 001A46BA
.text C:\WINDOWS\System32\svchost.exe[1088] USER32.dll!MessageBoxIndirectW 7E4664D5 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 001A4820
.text C:\WINDOWS\System32\svchost.exe[1088] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 001A47F6
.text C:\WINDOWS\System32\svchost.exe[1088] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 001A4518
.text C:\WINDOWS\Explorer.EXE[1160] SHELL32.dll!StrStrW 7C9CEF18 8 Bytes [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP}
.text C:\Program Files\Mozilla Firefox\firefox.exe[2116] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 102C0C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2116] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 104F7B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2116] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 104F7B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2116] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 102C3FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2116] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 104F7AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp FireTDI.sys (McAfee Desktop Firewall Application Firewall Driver/Networks Associates Technology, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 10th November 2012, 2:44 am

Good afternoon bobu,

Please re-run aswMBR and post a fresh log in your reply.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 10th November 2012, 4:02 am

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-09 22:01:39
-----------------------------
22:01:39.562 OS Version: Windows 5.1.2600 Service Pack 3
22:01:39.562 Number of processors: 2 586 0x403
22:01:39.562 ComputerName: WARCRAFT UserName: Bob
22:01:40.125 Initialize success
22:01:47.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:01:47.453 Disk 0 Vendor: WDC_WD16 02.0 Size: 152627MB BusType: 3
22:01:47.453 Disk 0 MBR read successfully
22:01:47.453 Disk 0 MBR scan
22:01:47.453 Disk 0 Windows XP default MBR code
22:01:47.453 Disk 0 MBR hidden
22:01:47.453 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 131069 MB offset 63
22:01:47.453 Disk 0 scanning sectors +268430085
22:01:47.500 Disk 0 scanning C:\WINDOWS\system32\drivers
22:01:53.312 Service scanning
22:02:00.703 Modules scanning
22:02:04.656 Disk 0 trace - called modules:
22:02:04.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88a674b1]<<
22:02:04.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9a3ab8]
22:02:04.656 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x8a9fd630]
22:02:04.656 \Driver\iastor[0x88904360] -> IRP_MJ_CREATE -> 0x88a674b1
22:02:04.671 Scan finished successfully
22:02:13.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob\Desktop\MBR.dat"
22:02:13.156 The log file has been saved successfully to "C:\Documents and Settings\Bob\Desktop\aswMBR.txt"

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 10th November 2012, 7:45 pm

Good morning bobu,

Please download [You must be registered and logged in to see this link.] to your Desktop.

  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your Desktop.
  • Open this report and post its content in your next reply.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 10th November 2012, 9:34 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 115):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x89E38000 \WINDOWS\system32\KDCOM.DLL
0xB84BC000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB8330000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7F31000 atapi.sys
0xB7EBE000 iaStor.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7E9E000 fltmgr.sys
0xB7E8C000 sr.sys
0xB7E75000 KSecDD.sys
0xB7E56000 FirePM.sys
0xB7DC9000 Ntfs.sys
0xB7D9C000 NDIS.sys
0xB7D82000 Mup.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB5E91000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB5E7D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB5E4F000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xB83F8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB5E2B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8400000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB5D94000 \SystemRoot\system32\drivers\smwdm.sys
0xB5D70000 \SystemRoot\system32\drivers\portcls.sys
0xB82D8000 \SystemRoot\system32\drivers\drmk.sys
0xB5D4D000 \SystemRoot\system32\drivers\ks.sys
0xB5C9A000 \SystemRoot\system32\drivers\senfilt.sys
0xB82E8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB8408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB5C86000 \SystemRoot\system32\DRIVERS\parport.sys
0xB82F8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB8568000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8308000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8318000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8108000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB86E0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8118000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB5C6F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8128000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8138000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB5C5E000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8148000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8158000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8604000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB5C00000 \SystemRoot\system32\DRIVERS\update.sys
0xB7BDE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xAD5CB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD5AB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB8666000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8648000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA44D3000 \SystemRoot\System32\Drivers\Null.SYS
0xB864A000 \SystemRoot\System32\Drivers\Beep.SYS
0xA4033000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA402B000 \SystemRoot\System32\drivers\vga.sys
0xB864C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB864E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA4023000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA401B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA488C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA3658000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA35FF000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA35D9000 \??\C:\WINDOWS\system32\Drivers\FireTDI.sys
0xA35B3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA358B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA48CC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA3569000 \SystemRoot\System32\drivers\afd.sys
0xA48BC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA4013000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xA353E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA34CE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA48AC000 \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys
0xA414F000 \SystemRoot\System32\Drivers\Fips.SYS
0xA400B000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA4419000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA412F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA4411000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA411F000 \SystemRoot\system32\DRIVERS\avkmgr.sys
0xA34A9000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xA40CF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA3436000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA3B43000 \SystemRoot\System32\drivers\Dxapi.sys
0xA3A19000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB8707000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBD42F000 \SystemRoot\System32\ATMFD.DLL
0xA28C5000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB8488000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA6385000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA2848000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8616000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB3B9E000 \??\C:\WINDOWS\system32\drivers\firelm01.sys
0xA2750000 \SystemRoot\system32\DRIVERS\srv.sys
0xA269B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB42C8000 \SystemRoot\system32\drivers\sysaudio.sys
0xA2026000 \SystemRoot\system32\DRIVERS\RT61.sys
0xA1EF5000 \SystemRoot\System32\Drivers\HTTP.sys
0xA1F36000 \??\C:\WINDOWS\system32\GTNDIS5.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\smss.exe
660 csrss.exe
688 C:\WINDOWS\system32\winlogon.exe
732 C:\WINDOWS\system32\services.exe
744 C:\WINDOWS\system32\lsass.exe
904 C:\WINDOWS\system32\svchost.exe
964 svchost.exe
1060 C:\WINDOWS\system32\svchost.exe
1184 svchost.exe
1232 C:\WINDOWS\system32\svchost.exe
1276 svchost.exe
1304 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\system32\spoolsv.exe
1648 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1712 svchost.exe
1812 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1848 C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
1940 C:\Program Files\Java\jre6\bin\jqs.exe
1992 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
176 naPrdMgr.exe
168 C:\WINDOWS\system32\nvsvc32.exe
296 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
316 C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
596 C:\WINDOWS\explorer.exe
1776 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
1784 C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
1904 C:\WINDOWS\system32\rundll32.exe
2056 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2084 C:\WINDOWS\system32\ctfmon.exe
2200 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
3292 alg.exe
1160 C:\WINDOWS\system32\svchost.exe
2944 C:\Program Files\Mozilla Firefox\firefox.exe
3568 C:\Program Files\Mozilla Firefox\plugin-container.exe
3188 C:\Documents and Settings\Bob\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600JS-22MHB0, Rev: 02.01C03

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 11th November 2012, 1:25 am

Hey bobu,

Please download [You must be registered and logged in to see this link.].
Unzip the downloaded file and double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit > Select All.
Go File > Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 11th November 2012, 1:43 am

Hi - nothing happens when I run this.

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 11th November 2012, 9:31 pm

Howdy bobu,

Please download WhoCrashed [You must be registered and logged in to see this link.].
This program checks for any drivers which may have been causing your computer to crash....

Click on the file you just downloaded and run it.
Put a tick in Accept then click on Next.
Put a tick in the Don't create a start menu folder then click Next.
Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish.
Click Analyze.
It will want to download the Debugger and install it. Say Yes.

WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by bobu on 12th November 2012, 1:37 am

System Information (local)
--------------------------------------------------------------------------------

computer name: WARCRAFT
windows version: Windows XP Service Pack 3, 5.1, build: 2600
windows dir: C:\WINDOWS
CPU: GenuineIntel Intel(R) Pentium(R) 4 CPU 3.00GHz Intel586, level: 15
2 logical processors, active mask: 3
RAM: 2682351616 total
VM: 2147352576, free: 2048966656




--------------------------------------------------------------------------------
Crash Dump Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.

No valid crash dumps have been found on your computer

--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

Crash dumps are enabled but no valid crash dumps have been found. It may be that there are problems which prevent crash dumps from being written out. Check out the following article for possible causes: If crash dumps are not written out.

In case your computer does experience sudden reboots it is likely these are caused by malfunctioning hardware, power failure or a thermal issue. To troubleshoot a thermal issue, check the temperature using your BIOS setup program, check for dust in CPU and motherboard fans and if your computer is portable make sure it's located on a hard surface. Otherwise it's suggested you contact the support department of the manufacturer of your system or test your system with a memory test utility for further investigation.

Check out the following articles for more information: Troubleshooting sudden resets and shut downs.

Read the topic general suggestions for troubleshooting system crashes for more information.

Note that it's not always possible to state with certainty whether a reported driver is actually responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.

bobu
Intermediate
Intermediate

Posts Posts : 59
Joined Joined : 2008-12-06
OS OS : WINXP
Points Points : 29616
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 12th November 2012, 10:08 am

Hey bobu,

Please go to C:\Windows and upload any dmp files that are present.

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Virus?

Post by Rodel Ituralde on 17th November 2012, 12:27 pm

Are you still with me bobu?

Rodel Ituralde
Senior
Senior

Posts Posts : 387
Joined Joined : 2011-01-27
Gender Gender : Male
OS OS : Windows 7 Home Edition 32-bit, Windows 7 Home Edition 64-bit and Ubuntu 10.4
Protection Protection : avast!, SpywareBlaster, MBAM
Points Points : 23022
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum