Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Recurring jesterss.dll Trojan Rootkit with a side of Malware [Solved]

Started by goomba , Aug 23 2009 08:48 AM

  • This topic is locked This topic is locked

#1
goomba
Posted 23 August 2009 - 08:48 AM

goomba

    Member

  • Member
  • PipPip
  • 18 posts
Hello,
I have been trying to remove this "jesterss.dll" from my computer for about three months. I have reformatted about ten times since then, all to no avail as Comodo Antivirus keeps detecting it. On one occasion I tried reformatting and my computer wouldn't work at all, so I had to send it in to GateWay repair under my warranty. They replaced the hard drive (they said "softloaded", I don't know what that means)so I figured this would be the end of this madness! Logical, no? Alas, upon reinstalling Comodo Antivirus on my computer, it comes up. Now, I had two interpretations of this:
A) It's a false positive
B) It's hiding on the D:/ drive which serves as my recovery partition, and thus withstands any reformats.

Here's the thing:
I immediately tried to delete my D: drive. After deleting it, I reformatted again, to make sure I had completely removed any traces of the bane of my existence. Upon reformatting, the D: drive was recreated, and I still had jesterss.dll in the directory according to Comodo AntiVirus--
C:/WINDOWS/system32/jesterss.dll

For reference, I have been to bleepingcomputer.com, where I received help but it was not successful. My support topic can be found here
NOTE:when this virus appears under Comodo AntiVirus, I usually try to quarantine it so it cannot do any harm. It usually reappears after a while (a day or two).
Thank you in advance.
Here are the logs I have accumulated (MBAM, RootRepeal, and OTL);

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 09:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA1C71000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9FD0F000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7af68

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a472

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7ab0c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7b4e4

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a150

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7c1f0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7c4c8

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a79d16

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7b14e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7b2fe

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a79a78

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7be72

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a6f6

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7ad50

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a797a8

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a986

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a79920

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7b8aa

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a26e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7bc0e

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7c020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7b6aa

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a690

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a87a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a7a01a

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa2a79ee8

==EOF==

OTL Extras logfile created on: 8/23/2009 9:24:22 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.20 Gb Total Space | 217.07 Gb Free Space | 95.12% Space Free | Partition Type: NTFS
Drive D: | 4.67 Gb Total Space | 4.67 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive E: | 2.73 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-5B8C03A1E7
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe" = C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:LocalSubNet:Enabled:SPCM -- ()
"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe" = C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:LocalSubNet:Enabled:Intel® Viiv™ Media Server -- ()
"C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe" = C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:LocalSubNet:Enabled:Intel® Remoting Service -- (Intel Corporation)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{82EF8297-C8B2-4CA8-9430-FF2BC8C40414}" = GWCares
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DA327C6D-D8F1-4587-B4DE-10C39BF6B891}" = Intel® Viiv™ Software
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"America Online us" = America Online (Choose which version to remove)
"AOL Connectivity Services" = AOL Connectivity Services
"AOL Spyware Protection" = AOL Spyware Protection
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)
"BigFix" = BigFix
"COMODO Internet Security" = COMODO Internet Security
"ERUNT_is1" = ERUNT 1.1j
"Google Desktop" = Google Desktop
"gtw_logo" = gtw_logo
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"Intel® Configuration Center" = Intel® Viiv™ Software
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"NVIDIA Drivers" = NVIDIA Drivers
"PCSI" = Prevx 3.0
"Port Magic" = Pure Networks Port Magic
"PROSet" = Intel® PRO Network Connections Drivers
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer Basic
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format Runtime

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/22/2009 6:12:07 PM | Computer Name = YOUR-5B8C03A1E7 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 8/22/2009 6:20:03 PM | Computer Name = YOUR-5B8C03A1E7 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 8/22/2009 6:49:02 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module flash.ocx, version 7.0.19.0, fault address 0x00001868.

Error - 8/22/2009 7:26:51 PM | Computer Name = YOUR-5B8C03A1E7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 8/22/2009 7:30:13 PM | Computer Name = YOUR-5B8C03A1E7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 8/22/2009 7:30:14 PM | Computer Name = YOUR-5B8C03A1E7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 8/22/2009 7:30:14 PM | Computer Name = YOUR-5B8C03A1E7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 8/22/2009 7:30:14 PM | Computer Name = YOUR-5B8C03A1E7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

[ System Events ]
Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The PrismXL service terminated unexpectedly. It has done this 1 time(s).

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The Intel® Matrix Storage Event Monitor service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7031
Description = The Intel® Software Services Manager service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The Intel® Application Tracker service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7031
Description = The Media Center Extender Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7031
Description = The Intel® Viiv™ Media Server service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7031
Description = The Intel® Remoting Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 8/23/2009 12:14:52 PM | Computer Name = YOUR-5B8C03A1E7 | Source = Service Control Manager | ID = 7034
Description = The CSIScanner service terminated unexpectedly. It has done this
1 time(s).


< End of report >

OTL logfile created on: 8/23/2009 9:24:22 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.20 Gb Total Space | 217.07 Gb Free Space | 95.12% Space Free | Partition Type: NTFS
Drive D: | 4.67 Gb Total Space | 4.67 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive E: | 2.73 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-5B8C03A1E7
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/08/22 15:52:59 | 00,707,152 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2007/06/13 03:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/08/05 20:56:34 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehtray.exe
PRC - [2009/08/22 11:22:50 | 00,169,984 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2005/12/09 18:44:40 | 00,139,264 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\readericon45G.exe
PRC - [2006/07/06 07:15:00 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
PRC - [2006/07/27 09:54:22 | 00,303,104 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
PRC - [2009/08/22 11:22:50 | 00,555,008 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
PRC - [2006/03/29 19:10:04 | 00,375,296 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
PRC - [2004/03/19 14:17:00 | 00,078,960 | ---- | M] () -- C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe
PRC - [2009/08/22 11:22:50 | 00,415,744 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
PRC - [2009/08/22 15:52:59 | 01,793,808 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2007/04/17 15:22:22 | 00,184,320 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PRC - [2007/05/07 20:44:00 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTHELPER.EXE
PRC - [2007/05/07 20:44:02 | 00,019,968 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTXFIHLP.EXE
PRC - [2007/05/07 20:40:34 | 00,966,144 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTXFISPI.EXE
PRC - [2006/07/27 09:53:24 | 00,401,408 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
PRC - [2006/07/27 09:52:58 | 00,188,416 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
PRC - [2004/04/07 12:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2009/08/23 09:10:15 | 04,368,952 | ---- | M] (Prevx) -- C:\Program Files\Prevx\prevx.exe
PRC - [2006/04/10 04:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005/08/05 20:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2006/07/06 07:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2007/04/20 06:05:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/08/22 11:35:31 | 00,196,608 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
PRC - [2005/08/05 20:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2006/07/27 08:21:48 | 00,094,208 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
PRC - [2006/07/27 09:03:24 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
PRC - [2006/07/09 23:37:24 | 00,025,600 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
PRC - [2009/08/23 09:10:15 | 04,368,952 | ---- | M] (Prevx) -- C:\Program Files\Prevx\prevx.exe
PRC - [2006/07/27 09:06:42 | 00,425,984 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
PRC - [2005/08/05 20:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehmsas.exe
PRC - [2009/08/23 09:20:34 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Administrator\My Documents\Downloads\RootRepeal.exe
PRC - [2009/07/30 04:26:38 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2007/08/10 20:46:20 | 00,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\update\update.exe
PRC - [2009/08/23 09:23:51 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2006/07/27 09:52:58 | 00,188,416 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\CCU\AlertService.exe -- (AlertService [Auto | Running])
SRV - [2004/04/07 12:07:32 | 01,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS [Auto | Running])
SRV - [2005/09/23 14:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/09/23 14:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2009/08/22 15:52:59 | 00,707,152 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent [Auto | Running])
SRV - [2009/08/23 09:10:15 | 04,368,952 | ---- | M] (Prevx) -- C:\Program Files\Prevx\prevx.exe -- (CSIScanner [Auto | Running])
SRV - [2006/04/10 04:24:28 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/08/05 20:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2004/08/10 12:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/07/06 07:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe -- (IAANTMON [Auto | Running])
SRV - [2006/07/27 08:21:48 | 00,094,208 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe -- (ISSM [Auto | Running])
SRV - [2006/07/09 23:37:24 | 00,025,600 | ---- | M] () -- C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe -- (M1 Server [Auto | Running])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
SRV - [2006/07/27 09:03:24 | 00,163,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe -- (MCLServiceATL [Auto | Running])
SRV - [2005/08/05 20:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2004/08/10 11:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2007/04/20 06:05:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2009/08/22 11:35:31 | 00,196,608 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL [Auto | Running])
SRV - [2006/07/27 09:06:42 | 00,425,984 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe -- (Remote UI Service [Auto | Running])
SRV - [2005/08/04 01:29:52 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...TP&M=FX530S
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=FX530S
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...TP&M=FX530S

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=FX530S
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/08/22 16:35:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/22 15:56:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/22 15:56:43 | 00,000,000 | ---D | M]

[2009/08/22 15:56:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2009/08/22 15:56:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/22 15:56:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\r90lg2xf.default\extensions
[2009/08/22 15:56:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/22 15:56:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/07/30 04:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 04:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/30 04:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/07/30 00:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 00:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 00:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 00:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 00:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 00:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 00:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\System32\BAE.dll (Gateway Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AOL Spyware Protection] C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe ()
O4 - HKLM..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Gateway Extended Warranty] C:\Program Files\Gateway\GWCares\GWCares.exe (BillP Studios)
O4 - HKLM..\Run: [Gateway Registration] C:\WINDOWS\System32\GTW1.exe (Leader Technologies)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [NMSSupport] C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [Power2GoExpress] File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.29.103.15 24.29.103.16
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\System32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 02:41:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: MHN - C:\WINDOWS\System32\mhn.dll (Microsoft Corporation)
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/08/23 09:23:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2009/08/23 09:20:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2009/08/23 09:20:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/08/23 09:19:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/23 09:19:22 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/08/23 09:19:14 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2009/08/23 09:19:14 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2009/08/23 09:19:13 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/23 09:11:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/08/23 09:11:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2009/08/23 09:10:15 | 00,027,656 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxsec.sys
[2009/08/23 09:10:15 | 00,022,024 | ---- | C] (Prevx) -- C:\WINDOWS\System32\drivers\pxscan.sys
[2009/08/23 09:10:15 | 00,000,000 | ---D | C] -- C:\Program Files\Prevx
[2009/08/23 09:10:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2009/08/23 09:10:10 | 00,000,067 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/08/23 09:01:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2009/08/22 17:34:04 | 00,000,153 | ---- | C] () -- C:\WINDOWS\cavscan.INI
[2009/08/22 17:13:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\COMODO
[2009/08/22 16:43:27 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2009/08/22 16:43:22 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Windows Media Player.lnk
[2009/08/22 16:26:16 | 00,000,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2009/08/22 16:25:20 | 00,064,752 | ---- | C] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/22 16:25:20 | 00,055,260 | ---- | C] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/22 16:25:20 | 00,055,260 | ---- | C] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/22 16:23:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2009/08/22 16:22:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/08/22 16:22:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/08/22 16:22:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Downloads
[2009/08/22 16:20:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Creative
[2009/08/22 16:19:57 | 00,409,600 | ---- | C] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2009/08/22 16:19:57 | 00,114,688 | ---- | C] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2009/08/22 16:19:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Creative
[2009/08/22 16:19:51 | 00,102,498 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2009/08/22 16:19:51 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2009/08/22 16:19:51 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/08/22 16:19:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Data
[2009/08/22 16:19:48 | 07,572,224 | ---- | C] () -- C:\WINDOWS\System32\CT8MGM.SF2
[2009/08/22 16:19:48 | 04,174,814 | ---- | C] () -- C:\WINDOWS\System32\CT4MGM.SF2
[2009/08/22 16:19:48 | 02,167,684 | ---- | C] () -- C:\WINDOWS\System32\CT2MGM.SF2
[2009/08/22 16:19:48 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\APOMngr.dll
[2009/08/22 16:19:48 | 00,067,072 | ---- | C] () -- C:\WINDOWS\System32\CmdRtr.dll
[2009/08/22 16:18:48 | 00,000,000 | ---D | C] -- C:\Program Files\Creative
[2009/08/22 16:17:15 | 00,000,000 | ---D | C] -- C:\cabs
[2009/08/22 16:17:00 | 48,990,1056 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\D00766-001-001.exe
[2009/08/22 16:01:49 | 00,000,808 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk
[2009/08/22 15:56:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2009/08/22 15:56:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2009/08/22 15:56:44 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/22 15:56:43 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/08/22 15:55:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2009/08/22 15:54:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/08/22 15:53:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo
[2009/08/22 15:53:02 | 00,179,792 | ---- | C] (COMODO) -- C:\WINDOWS\System32\guard32.dll
[2009/08/22 15:53:02 | 00,132,040 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2009/08/22 15:53:02 | 00,086,976 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2009/08/22 15:53:02 | 00,025,160 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2009/08/22 15:53:00 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2009/08/22 15:38:44 | 79,033,104 | ---- | C] (COMODO) -- C:\Documents and Settings\Administrator\Desktop\CIS_Setup_3.10.102363.531_XP_Vista_x32.exe
[2009/08/22 14:54:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2009/08/22 12:40:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\McAfee.com Personal Firewall
[2009/08/22 12:40:26 | 00,000,258 | ---- | C] () -- C:\WINDOWS\tasks\ISP signup reminder 3.job
[2009/08/22 12:40:26 | 00,000,258 | ---- | C] () -- C:\WINDOWS\tasks\ISP signup reminder 2.job
[2009/08/22 12:40:26 | 00,000,258 | ---- | C] () -- C:\WINDOWS\tasks\ISP signup reminder 1.job
[2009/08/22 11:42:53 | 00,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2009/08/22 11:41:10 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/08/22 11:41:07 | 00,000,333 | ---- | C] () -- C:\WINDOWS\System32\$ncsp$.inf
[2009/08/22 11:40:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2009/08/22 11:40:09 | 00,038,528 | ---- | C] () -- C:\WINDOWS\System32\Status.MPF
[2009/08/22 11:37:35 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/08/22 11:37:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee.com
[2009/08/22 11:37:10 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2009/08/22 11:36:25 | 00,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2009/08/22 11:36:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
[2009/08/22 11:35:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/22 11:35:32 | 00,743,936 | ---- | C] (Leader Technologies) -- C:\WINDOWS\System32\GTW1.exe
[2009/08/22 11:34:12 | 00,051,656 | ---- | C] () -- C:\WINDOWS\System32\OEMLOGO.bmp
[2009/08/22 11:34:12 | 00,001,150 | ---- | C] () -- C:\WINDOWS\System32\gtw.ico
[2009/08/22 11:34:11 | 01,239,209 | ---- | C] () -- C:\WINDOWS\System32\gtw_logo.scr
[2009/08/22 11:34:11 | 00,000,000 | ---D | C] -- C:\Program Files\gtw_logo
[2009/08/22 11:33:59 | 00,000,000 | ---D | C] -- C:\Program Files\SigmaTel
[2009/08/22 11:33:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/08/22 11:33:49 | 00,000,000 | ---D | C] -- C:\Program Files\AOL Companion
[2009/08/22 11:33:43 | 00,102,400 | ---- | C] (4Developers LLC) -- C:\WINDOWS\System32\SimpleRegistry.dll
[2009/08/22 11:33:43 | 00,010,752 | ---- | C] (Almeida & Andrade Ltda) -- C:\WINDOWS\System32\aamd532.dll
[2009/08/22 11:33:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\occache
[2009/08/22 11:33:41 | 00,000,000 | ---D | C] -- C:\Program Files\Pure Networks
[2009/08/22 11:33:41 | 00,000,000 | ---D | C] -- C:\Program Files\Learn2.com
[2009/08/22 11:33:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
[2009/08/22 11:33:40 | 00,000,000 | ---D | C] -- C:\Program Files\Viewpoint
[2009/08/22 11:33:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/22 11:33:39 | 00,086,016 | ---- | C] (MindVision) -- C:\WINDOWS\unvise32qt.exe
[2009/08/22 11:33:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\QuickTime
[2009/08/22 11:33:36 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/08/22 11:33:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2009/08/22 11:33:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Nullsoft
[2009/08/22 11:33:32 | 00,000,000 | ---D | C] -- C:\My Music
[2009/08/22 11:33:30 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/08/22 11:33:30 | 00,000,000 | ---D | C] -- C:\Program Files\Real
[2009/08/22 11:33:30 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Real
[2009/08/22 11:33:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\AOL Downloads
[2009/08/22 11:33:20 | 01,044,480 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\roboex32.dll
[2009/08/22 11:33:20 | 00,054,784 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINDOWS\System32\Inetwh32.dll
[2009/08/22 11:33:20 | 00,029,184 | ---- | C] (Blue Sky Software) -- C:\WINDOWS\System32\popup.ocx
[2009/08/22 11:33:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2009/08/22 11:33:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\aolshare
[2009/08/22 11:33:04 | 00,000,000 | ---D | C] -- C:\Program Files\America Online 9.0
[2009/08/22 11:33:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL
[2009/08/22 11:32:52 | 00,000,908 | -H-- | C] () -- C:\IPH.PH
[2009/08/22 11:32:52 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2009/08/22 11:32:51 | 00,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/08/22 11:32:28 | 00,003,284 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.PNF
[2009/08/22 11:32:26 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Application Data\GTek
[2009/08/22 11:32:25 | 00,006,656 | ---- | C] (GTek Technologies Ltd.) -- C:\WINDOWS\System32\DLPT2.sys
[2009/08/22 11:32:25 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\GTek
[2009/08/22 11:32:01 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Intel
[2009/08/22 11:31:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ENU
[2009/08/22 11:30:35 | 32,176,57856 | -HS- | C] () -- C:\hiberfil.sys
[2009/08/22 11:30:34 | 00,000,000 | ---D | C] -- C:\Program Files\Intel
[2009/08/22 11:30:29 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Roxio Shared
[2009/08/22 11:30:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/08/22 11:30:26 | 00,000,000 | ---D | C] -- C:\Program Files\Napster
[2009/08/22 11:30:19 | 00,115,998 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2009/08/22 11:30:15 | 00,017,177 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2009/08/22 11:30:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\nview
[2009/08/22 11:30:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2009/08/22 11:29:56 | 00,000,000 | ---D | C] -- C:\Program Files\Adobe
[2009/08/22 11:29:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/08/22 11:29:45 | 00,094,208 | ---- | C] (Gateway Inc.) -- C:\WINDOWS\System32\BAE.dll
[2009/08/22 11:29:39 | 00,013,352 | ---- | C] (BigFix, Inc.) -- C:\WINDOWS\BigFixClientOverride.dll
[2009/08/22 11:29:39 | 00,001,538 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
[2009/08/22 11:29:39 | 00,000,000 | ---D | C] -- C:\Program Files\BigFix
[2009/08/22 11:28:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2009/08/22 11:28:52 | 00,000,000 | ---D | C] -- C:\Program Files\Digital Media Reader
[2009/08/22 11:28:19 | 00,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2009/08/22 11:28:19 | 00,000,000 | ---D | C] -- C:\Program Files\CyberLink
[2009/08/22 11:28:15 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/08/22 11:24:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2009/08/22 11:24:59 | 00,000,000 | ---D | C] -- C:\Program Files\Gateway
[2009/08/22 11:22:50 | 00,000,000 | ---D | C] -- C:\Program Files\Google
[2009/08/22 11:18:38 | 00,028,768 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2009/08/22 11:18:38 | 00,024,670 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2009/08/22 11:18:35 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/08/22 11:18:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2009/08/22 11:16:27 | 00,000,002 | RHS- | C] () -- C:\USER
[2009/08/22 11:14:58 | 00,002,877 | ---- | C] () -- C:\WINDOWS\System32\e1e5132.din
[2009/08/22 11:14:55 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/08/22 11:13:06 | 00,000,060 | ---- | C] () -- C:\WINDOWS\System32\SYSDRV.DAT
[2009/08/22 11:12:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\creator
[2009/08/22 11:12:55 | 00,002,570 | ---- | C] () -- C:\WINDOWS\System32\IAMT.din
[2009/08/22 11:12:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\SMINST
[2009/08/22 11:12:42 | 00,000,000 | R--D | C] -- C:\Program Files
[2009/08/22 11:12:38 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2009/08/22 11:12:38 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2009/08/22 11:12:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2009/08/22 11:12:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2009/08/22 11:12:37 | 00,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2009/08/22 11:11:58 | 00,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2009/08/22 11:11:54 | 00,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages
[2009/08/22 11:10:27 | 00,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2009/08/22 10:59:38 | 01,626,112 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/08/22 10:59:36 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/08/22 10:59:35 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/08/22 10:59:34 | 01,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2009/08/22 10:59:34 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/08/22 10:59:34 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\nvtuicpl.cpl
[2009/08/22 10:59:33 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2009/08/22 10:59:31 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/08/22 10:59:31 | 01,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2009/08/22 10:59:27 | 00,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/08/22 10:59:15 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe

========== Files - Modified Within 14 Days ==========

[2009/08/23 09:19:22 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/08/23 09:19:14 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2009/08/23 09:19:14 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2009/08/23 09:18:45 | 00,013,888 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/23 09:16:56 | 00,000,606 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/23 09:16:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/23 09:16:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/23 09:16:49 | 32,176,57856 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/23 09:15:40 | 00,064,752 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/23 09:15:40 | 00,055,260 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/23 09:15:40 | 00,055,260 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-60071102}.rfx
[2009/08/23 09:10:15 | 00,027,656 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxsec.sys
[2009/08/23 09:10:15 | 00,022,024 | ---- | M] (Prevx) -- C:\WINDOWS\System32\drivers\pxscan.sys
[2009/08/23 09:10:10 | 00,000,067 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/08/22 21:42:00 | 05,891,822 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/08/22 17:34:04 | 00,000,153 | ---- | M] () -- C:\WINDOWS\cavscan.INI
[2009/08/22 16:43:22 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Windows Media Player.lnk
[2009/08/22 16:26:16 | 00,000,272 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2009/08/22 16:19:57 | 00,409,600 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2009/08/22 16:19:57 | 00,114,688 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2009/08/22 16:17:15 | 48,990,1056 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\D00766-001-001.exe
[2009/08/22 16:01:49 | 00,000,808 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk
[2009/08/22 15:56:44 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/08/22 15:53:00 | 00,179,792 | ---- | M] (COMODO) -- C:\WINDOWS\System32\guard32.dll
[2009/08/22 15:53:00 | 00,132,040 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2009/08/22 15:53:00 | 00,086,976 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2009/08/22 15:53:00 | 00,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2009/08/22 15:39:24 | 00,038,528 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2009/08/22 15:38:48 | 79,033,104 | ---- | M] (COMODO) -- C:\Documents and Settings\Administrator\Desktop\CIS_Setup_3.10.102363.531_XP_Vista_x32.exe
[2009/08/22 12:43:49 | 00,471,150 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/22 12:43:49 | 00,401,394 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/22 12:43:49 | 00,062,548 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/22 12:40:31 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/22 12:40:28 | 00,000,097 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/08/22 12:40:27 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\ISP signup reminder 3.job
[2009/08/22 12:40:27 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\ISP signup reminder 2.job
[2009/08/22 12:40:26 | 00,000,258 | ---- | M] () -- C:\WINDOWS\tasks\ISP signup reminder 1.job
[2009/08/22 12:40:26 | 00,000,209 | RHS- | M] () -- C:\boot.ini
[2009/08/22 11:42:53 | 00,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2009/08/22 11:41:07 | 00,000,333 | ---- | M] () -- C:\WINDOWS\System32\$ncsp$.inf
[2009/08/22 11:38:53 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/22 11:38:03 | 00,001,252 | ---- | M] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/08/22 11:38:03 | 00,000,520 | ---- | M] () -- C:\WINDOWS\System32\emver.ini
[2009/08/22 11:34:12 | 00,000,288 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/22 11:33:58 | 00,000,908 | -H-- | M] () -- C:\IPH.PH
[2009/08/22 11:33:30 | 00,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/08/22 11:32:51 | 00,000,335 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/08/22 11:32:28 | 00,003,284 | ---- | M] () -- C:\WINDOWS\System32\OEMINFO.PNF
[2009/08/22 11:29:39 | 00,001,538 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
[2009/08/22 11:27:58 | 00,093,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/22 11:18:35 | 00,028,768 | ---- | M] () -- C:\WINDOWS\System32\javaw.exe
[2009/08/22 11:18:35 | 00,024,670 | ---- | M] () -- C:\WINDOWS\System32\java.exe
[2009/08/22 11:16:27 | 00,000,002 | RHS- | M] () -- C:\USER
[2009/08/22 11:13:06 | 00,000,060 | ---- | M] () -- C:\WINDOWS\System32\SYSDRV.DAT

========== LOP Check ==========

[2009/08/23 09:11:31 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2009/08/22 11:35:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/08/22 11:33:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2009/08/22 11:33:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
[2009/08/23 09:10:11 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/08/22 11:30:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/08/23 09:13:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2006/06/18 23:36:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2009/08/22 11:33:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/08/22 11:33:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/08/10 12:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/22 12:40:26 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2009/08/22 12:40:27 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 2.job
[2009/08/22 12:40:27 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 3.job
[2009/08/23 09:16:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2004/08/10 12:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2004/08/10 12:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

Malwarebytes' Anti-Malware 1.40
Database version: 2682
Windows 5.1.2600 Service Pack 2

8/23/2009 9:47:59 AM
mbam-log-2009-08-23 (09-47-57).txt

Scan type: Quick Scan
Objects scanned: 94901
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements

#2
emeraldnzl
Posted 28 August 2009 - 02:35 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello goomba,

Couple of questions here: Is your computer networked?

Are your using any external devices such as thumb drives, flash drives etc.

Now

Please go to Start > Control Panel >Add or Remove Programs (Programs and Features if you are a Vista user) and uninstall the following if they exist:

Viewpoint, Viewpoint Manager, Viewpoint Media Player.:

Viewpoint Manager is considered to be foistware. You can go to the link below to read about it.

http://www.clickz.com/news/article.php/3561546

Next

Please download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
goomba
Posted 01 September 2009 - 07:16 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you for your help.
I reformatted my computer prior to this. Before even connecting it to the internet, I checked the directory C:/Windows/System32 and jesterss.dll was still there. I ran combofix, and it strangely created a directory called ComboFix in the C:/ drive, with a different icon than the standard folder one.
ComboFix wasn't running, so I renamed it to some combination of letters, thus changing the directory as well. I then, under the new name, run ComboFix, and then it works. Here is the log. NOTE: Jesterss.dll is still in the system32 folder and when I try to delete it I get a prompt: Cannot delete, access is denied.

Here's the log.

ComboFix 09-09-01.04 - Administrator 09/01/2009 18:04.1.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3069.2669 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\azFe.exe
AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3328414007-3217917548-2475689807-500
c:\windows\kb913800.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 01:05 . 2009-09-02 01:05 23552 ----a-w- c:\windows\system32\_jesterss.dll_.vir
2009-09-02 00:52 . 2009-09-02 00:52 -------- d-----w- c:\windows\LastGood
2009-09-02 00:41 . 2009-09-02 00:41 -------- d-----w- C:\cabs
2009-09-02 00:16 . 2009-09-02 01:00 112497 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-09-02 00:03 . 2009-09-02 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-09-02 00:03 . 2009-09-02 00:03 86976 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-02 00:03 . 2009-09-02 00:03 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-02 00:03 . 2009-09-02 00:03 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-02 00:03 . 2009-09-02 00:03 132040 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-02 00:03 . 2009-09-02 00:03 -------- d-----w- c:\program files\COMODO
2009-09-01 23:40 . 2009-09-01 23:40 -------- d-----w- c:\documents and settings\IUSR_NMPR\Application Data\McAfee.com Personal Firewall
2009-09-01 23:32 . 2009-09-01 23:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-09-01 16:35 . 2009-09-01 16:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-09-01 16:33 . 2006-04-21 06:12 332800 -c--a-w- c:\windows\system32\dllcache\srv.sys
2009-09-01 16:33 . 2006-05-19 12:59 94720 -c--a-w- c:\windows\system32\dllcache\iphlpapi.dll
2009-09-01 16:33 . 2006-05-19 12:59 148480 -c--a-w- c:\windows\system32\dllcache\dnsapi.dll
2009-09-01 16:33 . 2006-05-19 12:59 111616 -c--a-w- c:\windows\system32\dllcache\dhcpcsvc.dll
2009-09-01 16:33 . 2006-06-22 10:47 181248 -c--a-w- c:\windows\system32\dllcache\rasmans.dll
2009-09-01 16:32 . 2009-09-02 00:02 -------- d-----w- c:\program files\McAfee
2009-09-01 16:32 . 2009-09-01 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-09-01 16:30 . 2009-09-01 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-09-01 16:29 . 2009-09-01 16:29 -------- d-----w- c:\program files\gtw_logo
2009-09-01 16:29 . 2009-09-01 16:29 -------- d-----w- c:\documents and settings\Owner
2009-09-01 16:29 . 2006-02-06 19:24 1239209 ----a-w- c:\windows\system32\gtw_logo.scr
2009-09-01 16:29 . 2003-07-03 22:48 23552 ----a-w- c:\windows\system32\jesterss.dll
2009-09-01 16:27 . 2009-09-01 16:27 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-09-01 16:26 . 2009-09-01 16:26 -------- d-----w- c:\program files\Common Files\Intel
2009-09-01 16:26 . 2009-09-01 16:26 -------- d-----w- c:\windows\system32\ENU
2009-09-01 16:26 . 2006-07-13 16:16 126976 ----a-w- c:\windows\system32\Imsmudlg.exe
2009-09-01 16:25 . 2009-09-01 16:26 -------- d-----w- c:\program files\Intel
2009-09-01 16:25 . 2009-09-01 16:25 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-01 16:25 . 2009-09-01 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-09-01 16:25 . 2009-09-01 16:25 -------- d-----w- c:\program files\Napster
2009-09-01 16:25 . 2009-09-01 16:25 -------- d-----w- c:\windows\nview
2009-09-01 16:25 . 2007-04-20 13:05 356352 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-01 16:25 . 2007-04-20 14:15 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-01 16:24 . 2009-09-01 16:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-01 16:24 . 2003-08-13 01:17 499712 ------w- c:\windows\system32\msvcp71.dll
2009-09-01 16:24 . 2003-08-13 01:17 348160 ------w- c:\windows\system32\msvcr71.dll
2009-09-01 16:24 . 2003-03-19 03:05 89088 ----a-w- c:\windows\system32\atl71.dll
2009-09-01 16:24 . 2006-02-01 10:54 94208 ----a-w- c:\windows\system32\BAE.dll
2009-09-01 16:24 . 2009-09-01 16:24 -------- d-----w- c:\program files\BigFix
2009-09-01 16:24 . 2005-10-11 19:48 13352 ----a-w- c:\windows\BigFixClientOverride.dll
2009-09-01 16:23 . 2009-09-01 16:23 -------- d-----w- c:\program files\Digital Media Reader
2009-09-01 16:23 . 2009-09-01 16:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-01 16:23 . 2009-09-01 16:23 -------- d-----w- c:\program files\CyberLink
2009-09-01 16:23 . 2009-09-01 16:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-01 16:21 . 2006-06-21 09:12 -------- d-----w- c:\documents and settings\Default User\WINDOWS
2009-09-01 16:19 . 2009-09-01 16:32 -------- d-----w- c:\program files\Gateway
2009-09-01 16:19 . 2009-09-01 16:26 -------- d-----w- c:\windows\Downloaded Installations
2009-09-01 16:17 . 2009-09-01 16:35 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-09-01 16:17 . 2009-09-01 16:29 -------- d-----w- c:\program files\Google
2009-09-01 16:13 . 2009-09-01 16:13 -------- d-----w- c:\program files\Java
2009-09-01 16:13 . 2009-09-01 16:13 -------- d-----w- c:\program files\Common Files\Java
2009-09-01 16:13 . 2009-09-01 16:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142000}
2009-09-01 16:09 . 2006-07-19 22:42 230400 ----a-w- c:\windows\system32\drivers\e1e5132.sys
2009-09-01 16:09 . 2006-05-04 18:09 56832 ----a-w- c:\windows\system32\NicEtCoE.dll
2009-09-01 16:09 . 2006-05-04 17:59 253952 ----a-w- c:\windows\system32\e1000msg.dll
2009-09-01 16:09 . 2006-03-01 00:01 20480 ----a-w- c:\windows\system32\NicInstE.dll
2009-09-01 16:09 . 2006-01-25 23:59 21504 ----a-w- c:\windows\system32\NicCo.dll
2009-09-01 16:09 . 2006-01-05 04:01 126976 ----a-w- c:\windows\system32\Prounstl.exe
2009-09-01 16:00 . 2009-09-02 00:52 -------- dcsh--r- c:\windows\system32\dllcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 00:55 . 2009-09-01 16:27 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Pure Networks
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Learn2.com
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\QuickTime
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Common Files\aolshare
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-09-01 16:28 . 2009-09-01 16:28 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Common Files\Real
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\program files\Real
2009-09-01 16:28 . 2009-09-01 16:56 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-01 16:28 . 2009-09-01 16:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\SampleView
2009-09-01 16:27 . 2009-09-01 16:56 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-09-01 16:27 . 2009-09-01 16:56 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-09-01 16:27 . 2009-09-01 16:56 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-09-01 16:27 . 2009-09-01 16:27 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-09-01 16:27 . 2009-09-01 16:27 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-09-01 16:27 . 2009-09-01 16:27 335 ----a-w- c:\windows\nsreg.dat
2009-09-01 16:27 . 2009-09-01 16:27 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-09-01 16:27 . 2009-09-01 16:27 -------- d--h--w- c:\windows\system32\config\systemprofile\Application Data\GTek
2009-09-01 16:27 . 2009-09-01 16:27 -------- d--h--w- c:\documents and settings\Administrator\Application Data\GTek
2009-09-01 16:27 . 2009-09-01 16:27 29184 ----a-w- c:\windows\system32\drivers\goprot51.sys
2009-09-01 16:02 . 2009-09-01 16:02 60 ----a-w- c:\windows\system32\SYSDRV.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-09-01 169984]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-20 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-03-30 375296]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"Gateway Registration"="c:\windows\system32\GTW1.exe" [2006-04-04 743936]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-02 1793808]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-20 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-9-1 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [9/1/2009 5:03 PM 132040]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/1/2009 5:03 PM 25160]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [9/1/2009 9:02 AM 40448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BITS
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]

2009-09-01 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]

2009-09-01 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX530S
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX530S
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX530S
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 18:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\guard32.dll
.
Completion time: 2009-09-02 18:08
ComboFix-quarantined-files.txt 2009-09-02 01:08

Pre-Run: 234,786,562,048 bytes free
Post-Run: 234,786,848,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

190
  • 0

#4
emeraldnzl
Posted 01 September 2009 - 08:02 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again goomba,

Back to my questions: Are your using any external devices such as thumb drives, flash drives etc.

I did notice that you had reformatted and that was the reason for my above questions. Would you tell me about that please?

Also I see both Comodo and McAfee Firewall there. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Please uninstall one.

Could be why ComboFix didn't run until you changed it's name.

I wait your response :)
  • 0

#5
goomba
Posted 01 September 2009 - 08:13 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Hello again goomba,

Back to my questions: Are your using any external devices such as thumb drives, flash drives etc.

I did notice that you had reformatted and that was the reason for my above questions. Would you tell me about that please?

Also I see both Comodo and McAfee Firewall there. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Please uninstall one.

Could be why ComboFix didn't run until you changed it's name.

I wait your response :)

Hello, and thank you for your prompt response.
Ah! I am sorry, I did not catch that question! Yes, my computer was on a network, until I realized there was a serious security problem going on here. I now have disconnected the router, and run this Desktop straight through the cable modem.
Also, I have a flash drive, but I have not plugged it into my computer for about three months, which was when when I first caught a glimpse of jesterss.dll.
McAffee comes installed on my machine whenever I reformat it, so I uninstalled it and then Comodo- however for some reason, it appears to still be lurking. It also does not show in Add or Remove Programs.

Thank you again for your prompt response and I am glad to be assisted :)
  • 0

#6
emeraldnzl
Posted 01 September 2009 - 08:31 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello goomba,

In this post we will deal with the flash drive and run MBAM to check that the router didn't leave a particular infection.

Also regarding the firewalls I take it what you are telling me is that you have uninstalled McAfee and Comodo but that parts of Comodo are still there?

Now

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Next

You may have used Malwarebytes before. If you have, and still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
goomba
Posted 03 September 2009 - 02:15 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello and thank you again for your help,

I am trying to say that I tried to entirely uninstall McAfee. And now, I use Comodo Antivirus+Firewall as my current protection.

I ran MBAM and found nothing. Flash Disinfector will not run on my system, when I click on it.

I found a program called RegRun ReAnimator at this website:

http://greatis.com/reanimator

I downloaded it and it found a lot of problems which I proceeded to remove.
Now jesterss.dll no longer appears in the directory. Do you know anything about this program?

Not related to RegRun Reanimator, something strange has been happening. When I scan on Comodo, it seems to scan through a folder called System Volume Information on my C: drive. This is where multiple infections had previously been located. I cannot find this particular folder on my C: drive however, even when I enable hidden files as visible. Is this normal?

Thank you in advance. :)

EDIT: Here is the MBAM log.

Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 2

9/3/2009 1:20:50 PM
mbam-log-2009-09-03 (13-20-50).txt

Scan type: Quick Scan
Objects scanned: 80421
Time elapsed: 1 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by goomba, 03 September 2009 - 02:21 PM.

  • 0

#8
emeraldnzl
Posted 03 September 2009 - 03:22 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello goomba,

I found a program called RegRun ReAnimator at this website:Do you know anything about this program?


Not in detail. Usually we keep away from programs that play with the Registry. We have had too many sad stories where people have used them and then down the track found a program that won't work or some other problem where their machine won't work properly. Greatis is a legitmate company though and if used properly I am sure that the program will do what they say it does. This review may be of interest to you though: http://www.emailbatt..._aacicebhdj_dg/

Flash Disinfector will not run on my system, when I click on it.


The reason I gave you Flash Disinfector was to clean that flash drive in case it was what was reinfecting your machine.

When I scan on Comodo, it seems to scan through a folder called System Volume Information


System Volume is part of System Restore. Until recently many anti-virus programs didn't access System Restore. Nowadays they do. This is the area where your computer stores restore points and information in case you wish to roll back your computer to an earlier date. Actually, unless you use the Restore Utility the files in there won't hurt your computer. Often though, if your computer is infected, bad files do get stored there and if activated at restore will harm your machine hence the attention of the anti-virus programs. As a matter of course we always clean out System Restore at the cleanup process at the end of our helping someone.

Now I have to ask you a question:

If you are to continue with help here you will have to make a decision to only follow my instructions and not rush off doing other things and using other tools. They can interfere and reverse whatever it is we are doing.

So you tell me what you want to do. :)
  • 0

#9
goomba
Posted 03 September 2009 - 04:42 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Hello goomba,

If you are to continue with help here you will have to make a decision to only follow my instructions and not rush off doing other things and using other tools. They can interfere and reverse whatever it is we are doing.

So you tell me what you want to do. :)

Hello and thanks again,

Concerning the system restore, I definitely think that's where the virus is hiding; And that's why it's still there after I do perform the reformat of the machine.
I was been trying to delete my D: drive which serves as my recovery partition, all to no avail. I've in the past tried formatting it as well. Upon recovery my computer becomes infected, which is why I've been trying to delete it. I now have to ask a question: Is the D: drive a piece of physical hardware and can I remove it from my system by opening it up? Or is there a simpler way to do that?

Sorry about rushing off and using RegRun. I will definitely not stray from your instructions in the future.
  • 0

#10
emeraldnzl
Posted 03 September 2009 - 06:02 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello goomba,

And that's why it's still there after I do perform the reformat of the machine.


If you performed a proper reformat neither the contents of System Restore or the infection will be there. If the infection is not being introduced from an outside source such as a flash drive or some other removable device then it might be coming from backups such as e-mail or documents or some infected program that you are putting back on the machine. Alternatively you may not really have carried out a reformat. Perhaps you carried out a repair installation. Often people do this thinking they have reformatted.

Is the D: drive a piece of physical hardware and can I remove it from my system by opening it up?


No in your case it is a separate partition on your computers hard drive. Nowadays suppliers often use a separate partition to put a backup of your operating system instead of giving you a Windows Installation Disk. This should be clean unless you have introduced something into drive D: That is, sometimes people will place other stuff in there as well as the data put there by the supplier. You could get rid of the D: partition when you reformat but then you wouldn't be able to use that to reinstall your system again.

Now

Nothing showing in that MBAM report. In this post let's update a couple of vunerable programs and run an on line scan of your computer.

Step 1

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html

Step 2

Your Java is out of date, older versions are vunerable to attack.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note: Tell me if you have any problems trying to do this and we will find an alternative way to do it.

Finally in this post

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3. It uses Java Runtime Environment (JRE) .

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.
  • 0

Advertisements

#11
goomba
Posted 03 September 2009 - 07:55 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Hello goomba,

If you performed a proper reformat neither the contents of System Restore or the infection will be there. If the infection is not being introduced from an outside source such as a flash drive or some other removable device then it might be coming from backups such as e-mail or documents or some infected program that you are putting back on the machine. Alternatively you may not really have carried out a reformat. Perhaps you carried out a repair installation. Often people do this thinking they have reformatted.


This is most likely correct. I have detected the infection after reformatting before I have even connected the computer to the internet, along with not yet installing anything- which makes me believe that you are right when you say I performed a repair installation. How can I be sure I reformat in the future?

No in your case it is a separate partition on your computers hard drive. Nowadays suppliers often use a separate partition to put a backup of your operating system instead of giving you a Windows Installation Disk. This should be clean unless you have introduced something into drive D: That is, sometimes people will place other stuff in there as well as the data put there by the supplier. You could get rid of the D: partition when you reformat but then you wouldn't be able to use that to reinstall your system again.

How can I get rid of the D: Partition when I reformat? That would be great. I have a System Recovery CD with the Applications, Drivers, & Operating System. Therefore, doesn't that serve the same purpose as my Recovery Partition (D Drive)?

Step 2
Note: Tell me if you have any problems trying to do this and we will find an alternative way to do it.

I have tried to download JavaRe.exe from the link you provided but when I try to click it I get an "Error 403- Forbidden" which states I don't have access to the link provided, which makes me unable to perform the Kaspersky online scan.

Thanks your consistent prompt assistance, I really appreciate it.
  • 0

#12
emeraldnzl
Posted 03 September 2009 - 08:27 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts

How can I be sure I reformat in the future?


How can I get rid of the D: Partition when I reformat?


The above are relatively simple but I am not a tech. I will give you a link (see below) for reformating but seeing you want to get rid of the partition at the same time (while that is simple too) I think the best thing would be for you to open a topic in the XP operating system forum here and get them to tell you what you need to do. They won't help you though until you have a clean machine. So let's make sure of that first. When/if you do go there make sure you tell them you have been here first.

Go to WindowsXP Clean Install for instructions how to format and reinstall Windows.


Now

I have tried to download JavaRe.exe from the link you provided but when I try to click it I get an "Error 403- Forbidden"


Okay, let's try another way.

Please follow these steps:

Once you have downloaded and installed the latest version please go to Start > Control Panel > Add or Remove Programs and uninstall all items with Java in them except Java 6 update 16.

After that you should be able to run Kaspersky. Make sure your security programs are disabled. Kaspersky won't work otherwise. Again if you have trouble there come back and tell me.
  • 0

#13
goomba
Posted 03 September 2009 - 09:29 PM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

How can I be sure I reformat in the future?


How can I get rid of the D: Partition when I reformat?


The above are relatively simple but I am not a tech. I will give you a link (see below) for reformating but seeing you want to get rid of the partition at the same time (while that is simple too) I think the best thing would be for you to open a topic in the XP operating system forum here and get them to tell you what you need to do. They won't help you though until you have a clean machine. So let's make sure of that first. When/if you do go there make sure you tell them you have been here first.

Go to WindowsXP Clean Install for instructions how to format and reinstall Windows.

Thanks.

Now

I have tried to download JavaRe.exe from the link you provided but when I try to click it I get an "Error 403- Forbidden"


Okay, let's try another way.

Please follow these steps:

Once you have downloaded and installed the latest version please go to Start > Control Panel > Add or Remove Programs and uninstall all items with Java in them except Java 6 update 16.

After that you should be able to run Kaspersky. Make sure your security programs are disabled. Kaspersky won't work otherwise. Again if you have trouble there come back and tell me.

I finished the scan and removed all other instances of Java. Here is the report. Thanks again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 3, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 04:14:03
Records in database: 2744451
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Objects scanned: 42911
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:32:18

No threats found. Scanned area is clean.

Selected area has been scanned.
  • 0

#14
emeraldnzl
Posted 03 September 2009 - 10:05 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello goomba,

Unless you think your machine has any further problems I think it is clean of malware.

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Posted Image
Step 2
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTL to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful backup program to hold on to. The JavaRa folder can be deleted if it is still there.

-------------------------------------------------------------------------------------------------------------------

A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at if you don't already know a bout them:

---------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is more secure than Internet Explorer. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:


To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!
  • 0

#15
goomba
Posted 04 September 2009 - 08:01 AM

goomba

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello,
I try to type in ComboFix /u but it says that ComboFix cannot be found. The folder Qoobox in my C: drive, however, still remains with the quarantined items that were on their own causing harm to my machine. What should I do now?

Thanks again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP