Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please Help get rid of WIN32/Cryptor Virus! [Solved]

Started by soulpurpose , Apr 28 2009 11:51 AM

  • This topic is locked This topic is locked

#1
soulpurpose
Posted 28 April 2009 - 11:51 AM

soulpurpose

    New Member

  • Member
  • Pip
  • 5 posts
Hello.

My computer has unfortunatley been infected with the WIN32/CRYPTOR Virus and I can't seem to get rid of it! When my computer starts up it gives me two error messages..."Google Installer has encountered a problem and needs to close". The other says "Microsoft Windows- The system has recovered from a serious error". I found the virus through running AVG 8.0 free addition which will not get rid of it. Some of the symptoms my computer has is for instance if I do a google search and hit the link it will bring up something totally different. It won't let me run Malwarebytes which was previously installed. Tryed to delete it out of program files but it wont let me. If computer sits long enough it will freeze. I give up!!doin my head in..ha Any HELP would be greatly appreciated! THANKS A MILLION :)

Edited by soulpurpose, 28 April 2009 - 11:55 AM.

  • 0

Advertisements

#2
Essexboy
Posted 28 April 2009 - 01:54 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there. Lets see what you have first

Download Rooter.exe to your desktop
  • Doubleclick it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive%(usually C:)\Rooter.txt. Copy and paste it with your OTLI log.

THEN

  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  • 0

#3
soulpurpose
Posted 28 April 2009 - 03:33 PM

soulpurpose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here it is:


Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:114485 Mo/Free:2143 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)

Tue 04/28/2009|17:14

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Internet Explorer\Iexplore.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\WINDOWS\ALCXMNTR.EXE
---------- C:\Program Files\QuickTime\qttask.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\PROGRA~1\AVG\AVG8\avgtray.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
---------- C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
---------- C:\WINDOWS\system32\sistray.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\PROGRA~1\AVG\AVG8\avgemc.exe
---------- C:\Program Files\AVG\AVG8\avgcsrvx.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

==> VUNDO <==

C:\WINDOWS\System32\TDSSosvd.dat
==> TDSS.. <==

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS


1 - "C:\Rooter$\Rooter_1.txt" - Tue 04/28/2009|17:16

----------------------\\ Scan completed at 17:16


HERE IS THE OTList.......

OTListIt logfile created on: 4/28/2009 5:23:55 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.48 Mb Total Physical Memory | 145.70 Mb Available Physical Memory | 37.99% Memory free
1016.91 Mb Paging File | 656.26 Mb Available in Paging File | 64.53% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 82.09 Gb Free Space | 73.43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AUDITT
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Internet Explorer\Iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (avg8emc [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (gupdate1c98eb819eadc9e [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (L6PODLV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\L6PODLV.sys (Line 6)
DRV - (pcouffin [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\pcouffin.sys (VSO Software)
DRV - (PRISM_A02 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\PRISMA02.sys (Conexant Systems, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiS315 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp [System | Running]) -- C:\WINDOWS\system32\DRIVERS\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SISNIC [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisnic.sys (SiS Corporation)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (Tcpip6 [System | Running]) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/01/07 14:26:28 | 00,000,000 | ---D | M]


O1 HOSTS File: (156 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (BHO) - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (Nero AG)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [SfKg6wIP] C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\qwkifqwb.exe File not found
O4 - HKCU..\Run: [SpeedRunner] C:\Documents and Settings\Administrator\Application Data\SpeedRunner\SpeedRunner.exe File not found
O4 - HKCU..\Run: [system tool] C:\WINDOWS\sysguard.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm069SJUS File not found
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm (Microsoft Corporation)
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1178725127703 (WUWebControl Class)
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} http://www.gamehouse...se/ghplayer.cab (GameHouse Games Player)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (wgtdpj.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O29 - HKLM SecurityProviders - (msansspc.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{33189903-fe4c-11db-87d6-0011d89ae441}\Shell - "" = AutoRun
O33 - MountPoints2\{33189903-fe4c-11db-87d6-0011d89ae441}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/04/28 17:22:32 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/28 17:14:18 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/28 17:13:42 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Rooter.exe
[2009/04/28 10:27:42 | 00,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2009/04/28 09:02:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/15 10:32:39 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 10:32:39 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 10:32:37 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 10:32:37 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 10:32:36 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 10:32:34 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 10:32:32 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 10:32:31 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 10:32:30 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 10:31:27 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 10:31:26 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 10:31:26 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2008/11/01 21:39:14 | 01,489,939 | -HS- | C] () -- C:\WINDOWS\System32\uxptjbct.ini
[2008/11/01 21:38:16 | 00,897,494 | -HS- | C] () -- C:\WINDOWS\System32\sAJklUvw.ini2
[2008/11/01 21:38:16 | 00,897,494 | -HS- | C] () -- C:\WINDOWS\System32\sAJklUvw.ini
[2007/05/11 14:32:27 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/05/10 16:50:16 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/05/09 13:40:20 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/09 13:34:58 | 00,095,496 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2007/05/09 13:34:42 | 00,078,361 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2007/05/09 13:21:47 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\setuplib.dll
[2004/08/04 08:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/04 07:55:59 | 01,614,848 | ---- | C] () -- C:\WINDOWS\System32\sfcfiles.dll
[1999/01/22 14:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/28 17:22:34 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/28 17:13:43 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Rooter.exe
[2009/04/28 17:09:39 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/28 17:09:39 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/28 17:09:39 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/28 17:05:55 | 00,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/04/28 17:05:46 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/28 17:05:46 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/28 17:05:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/04/28 17:05:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/04/28 17:05:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/28 17:05:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/28 14:28:12 | 04,298,474 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/04/28 13:38:01 | 00,000,270 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/04/28 12:57:26 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/04/28 12:57:26 | 00,000,172 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/04/28 12:47:31 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/04/28 12:47:31 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/04/28 09:35:39 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/04/28 09:35:39 | 00,000,172 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/04/28 09:33:41 | 35,502,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/28 09:33:41 | 00,040,278 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/28 09:09:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/04/28 09:09:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/04/28 09:00:47 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/04/28 09:00:47 | 00,000,172 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/04/28 08:40:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/04/28 08:40:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/04/28 08:28:17 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/04/28 08:28:17 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/04/27 22:46:39 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/04/27 22:46:39 | 00,000,172 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/04/27 21:40:16 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/04/27 21:40:16 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/04/27 21:36:18 | 00,000,172 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/04/27 21:36:17 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/04/27 21:25:35 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/04/27 21:25:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/04/27 19:33:54 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/04/27 19:33:54 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/04/27 17:41:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/04/27 17:41:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/04/27 17:01:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/04/27 17:01:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/04/27 13:31:42 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/04/27 13:31:42 | 00,000,172 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/04/27 13:30:23 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/04/27 13:30:23 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/04/27 11:44:50 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/04/27 11:44:50 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/04/27 10:07:13 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/04/27 10:07:13 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/04/27 10:04:46 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/04/27 10:04:46 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/04/18 09:08:36 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/15 21:27:21 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/12 09:42:55 | 53,506,6798 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Image.nrg
[2009/04/06 20:35:03 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Sean Masters Resume.doc
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/04 22:21:13 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\iTunes.lnk

========== LOP Check ==========

[2009/04/28 09:56:30 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2008/10/31 06:04:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2008/04/13 00:25:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AdobeUM
[2008/06/08 10:03:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ahead
[2008/01/21 02:25:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Apple Computer
[2009/01/16 20:34:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CyberLink
[2008/12/10 20:14:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Google
[2007/05/09 11:35:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2009/04/28 13:58:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LimeWire
[2008/11/02 01:35:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Line 6
[2007/05/09 13:57:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2008/11/02 04:10:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2008/11/06 08:17:51 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2007/05/09 13:37:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft Web Folders
[2008/10/31 05:43:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
[2009/01/15 13:12:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Real
[2008/11/02 00:19:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2008/10/31 18:58:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\U3
[2008/11/10 13:20:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\vghd
[2009/04/27 19:34:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vso
[2008/12/10 20:11:22 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/04/13 00:24:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/05/10 19:04:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/04/27 10:06:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/01/16 20:19:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cyberlink
[2008/12/05 22:55:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2009/04/27 19:34:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2008/11/01 21:14:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Line 6
[2008/11/02 04:09:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/05 14:24:44 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/11/21 12:17:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonoma Wire Works
[2008/11/02 17:59:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/05/09 11:54:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/11/02 16:42:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinKey
[2008/11/05 15:49:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/03/17 07:19:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2009/04/28 13:38:01 | 00,000,270 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2004/08/04 08:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/28 17:05:46 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2009/04/28 17:05:55 | 00,000,896 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
[2009/04/28 17:05:05 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

[2008/11/02 04:02:15 | 00,000,000 | ---D | M] -- C:\WINDOWS\System32\Τаsks
** - C:\WINDOWS\System32\??sks
[2008/10/31 00:09:30 | 00,000,000 | ---D | M] -- C:\WINDOWS\System32\Τаsks\Τаsks
** - C:\WINDOWS\System32\??sks\??sks

========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

#4
Essexboy
Posted 28 April 2009 - 04:03 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there first I will need to get rid of the rootkit before we do anything else

Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

THEN

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a OTListit log so we can continue cleaning the system.

  • 0

#5
soulpurpose
Posted 28 April 2009 - 05:24 PM

soulpurpose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here ya go.. by the way..I appreciate it!!\

ComboFix 09-04-28.02 - Administrator 04/28/2009 19:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.114 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\000B3080.urr
c:\program files\FunWebProducts\ScreenSaver\Images\00107726.urr
c:\program files\FunWebProducts\ScreenSaver\Images\0011E953.dat
c:\program files\FunWebProducts\ScreenSaver\Images\f3wallpp.bmp
c:\program files\FunWebProducts\ScreenSaver\Images\wrkparam.lst
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\windows\system32\config\systemprofile\Application Data\Facegame
c:\windows\system32\config\systemprofile\Application Data\Gool
c:\windows\system32\config\systemprofile\Application Data\SpeedRunner
c:\windows\system32\config\systemprofile\Application Data\SpeedRunner\config.cfg
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\drivers\UACypalkiqwmimovdk.sys
c:\windows\system32\sAJklUvw.ini
c:\windows\system32\sAJklUvw.ini2
c:\windows\system32\sks~1
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoexh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\UACbmxbhptaglirssn.log
c:\windows\system32\UACfxdejwxluhbbdwd.dll
c:\windows\system32\UACifxwipbyfwqbavb.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmvslhqeaxpwvqee.dll
c:\windows\system32\UACrvemdkpuxxyinos.dll
c:\windows\system32\UACswlqdatjkaryghc.log
c:\windows\system32\UACttfubvsivlysmuw.dll
c:\windows\system32\UACtvgvmxmlaxukrqo.log
c:\windows\system32\UACxbmmqxbnmpfurba.dat
c:\windows\system32\uxptjbct.ini
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_UACd.sys
-------\Legacy_SFC
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 21:14 . 2009-04-28 21:16 -------- d-----w C:\Rooter$
2009-04-28 14:27 . 2009-04-28 14:28 -------- d-----w c:\program files\Cobian Backup 8
2009-04-15 14:32 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 14:32 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 14:32 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 14:32 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 14:32 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 14:32 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 14:32 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 14:32 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 14:32 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 14:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 14:31 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 17:02 . 2008-11-02 08:09 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 15:27 . 2008-11-02 09:28 -------- d-----w c:\program files\Java
2009-03-09 09:19 . 2008-11-02 04:21 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-07 14:28 . 2008-10-31 23:02 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-07 14:28 . 2008-10-31 23:02 325128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-07 14:28 . 2008-10-31 23:02 107272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2005-07-29 20:24 . 2008-10-31 04:04 472 --sha-r c:\windows\VG9ieSBNYXN0ZXJz\p362ym1hsrhXtrLW.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-11-10 94208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-07 1601304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-03-09 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-5-10 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2007-5-9 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-07 14:28 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R2 gupdate1c98eb819eadc9e;Google Update Service (gupdate1c98eb819eadc9e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
R3 L6PODLV;PODxt Live Service;c:\windows\system32\Drivers\L6PODLV.sys [2008-10-23 530560]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-07 325128]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-02-07 107272]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-07 903960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-07 298264]

.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-04-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2009-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-11 13:27]

2009-04-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 15:22]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - c:\windows\system32\iehelper.dll
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Search - http://edits.mywebse...?p=ZRxdm069SJUS
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-28 19:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 23:16

Pre-Run: 88,074,833,920 bytes free
Post-Run: 88,351,551,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

205 --- E O F --- 2009-04-16 01:27


OTListIt logfile created on: 4/28/2009 7:19:39 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.48 Mb Total Physical Memory | 152.11 Mb Available Physical Memory | 39.67% Memory free
1016.76 Mb Paging File | 710.25 Mb Available in Paging File | 69.85% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.80 Gb Total Space | 82.29 Gb Free Space | 73.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AUDITT
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
PRC - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (avg8emc [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (gupdate1c98eb819eadc9e [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (WLSetupSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ALCXWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (catchme [Disabled | Running]) -- File not found
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (L6PODLV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\L6PODLV.sys (Line 6)
DRV - (pcouffin [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\pcouffin.sys (VSO Software)
DRV - (PRISM_A02 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\PRISMA02.sys (Conexant Systems, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiS315 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp [System | Running]) -- C:\WINDOWS\system32\DRIVERS\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SISNIC [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisnic.sys (SiS Corporation)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (Tcpip6 [System | Running]) -- C:\WINDOWS\system32\DRIVERS\tcpip6.sys (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/01/07 14:26:28 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AlcxMonitor] ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (Nero AG)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZRxdm069SJUS File not found
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm (Microsoft Corporation)
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1178725127703 (WUWebControl Class)
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} http://www.gamehouse...se/ghplayer.cab (GameHouse Games Player)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{33189903-fe4c-11db-87d6-0011d89ae441}\Shell - "" = AutoRun
O33 - MountPoints2\{33189903-fe4c-11db-87d6-0011d89ae441}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/04/28 18:57:04 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/04/28 18:57:01 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/28 18:57:00 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/28 18:55:28 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/04/28 18:55:28 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/04/28 18:55:28 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/04/28 18:55:28 | 00,113,152 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/04/28 18:55:28 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/04/28 18:55:28 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/04/28 18:55:28 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/28 18:55:28 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/28 18:55:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/28 18:50:58 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/28 18:49:58 | 03,007,964 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[2009/04/28 17:22:32 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/28 17:14:18 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/28 17:13:42 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Rooter.exe
[2009/04/28 10:27:42 | 00,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2009/04/28 09:02:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/04/15 10:32:39 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 10:32:39 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 10:32:37 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 10:32:37 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 10:32:36 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 10:32:34 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 10:32:32 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 10:32:31 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 10:32:30 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 10:31:27 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 10:31:26 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 10:31:26 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2007/05/11 14:32:27 | 00,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/05/10 16:50:16 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/05/09 13:40:20 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/09 13:34:58 | 00,095,496 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2007/05/09 13:34:42 | 00,078,361 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2007/05/09 13:21:47 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\setuplib.dll
[2004/08/04 08:00:00 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[1999/01/22 14:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/04/28 19:17:37 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/28 19:17:37 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/28 19:17:36 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/28 19:17:11 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/04/28 19:17:11 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/04/28 19:14:05 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/28 19:13:46 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/28 19:13:39 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/28 19:13:37 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/28 19:13:33 | 00,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/04/28 19:13:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/28 19:13:22 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/28 18:57:04 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/28 18:50:10 | 03,007,964 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\Combo-Fix.exe
[2009/04/28 18:38:01 | 00,000,270 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/04/28 17:22:34 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTListIt2.exe
[2009/04/28 17:13:43 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Rooter.exe
[2009/04/28 17:05:22 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/04/28 17:05:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/04/28 14:28:12 | 04,298,474 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/04/28 12:57:26 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/04/28 12:57:26 | 00,000,172 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/04/28 12:47:31 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/04/28 12:47:31 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/04/28 09:35:39 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/04/28 09:35:39 | 00,000,172 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/04/28 09:33:41 | 35,502,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/28 09:33:41 | 00,040,278 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/28 09:09:33 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/04/28 09:09:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/04/28 09:00:47 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/04/28 09:00:47 | 00,000,172 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/04/28 08:40:04 | 00,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2009/04/28 08:40:04 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009/04/28 08:28:17 | 00,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2009/04/28 08:28:17 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009/04/28 01:28:42 | 00,113,152 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/27 22:46:39 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/04/27 22:46:39 | 00,000,172 | -H-- | M] () -- C:\sqmdata16.sqm
[2009/04/27 21:40:16 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/04/27 21:40:16 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/04/27 21:36:18 | 00,000,172 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/04/27 21:36:17 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/04/27 21:25:35 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/04/27 21:25:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/04/27 19:33:54 | 00,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/04/27 19:33:54 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/04/27 17:41:44 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/04/27 17:41:44 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/04/27 17:01:36 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/04/27 17:01:35 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/04/27 13:31:42 | 00,000,172 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/04/27 13:31:42 | 00,000,172 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/04/27 13:30:23 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/04/27 13:30:23 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/04/27 11:44:50 | 00,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/04/27 11:44:50 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/04/27 10:07:13 | 00,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/04/27 10:07:13 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/04/18 09:08:36 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/15 21:27:21 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/12 09:42:55 | 53,506,6798 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Image.nrg
[2009/04/06 20:35:03 | 00,034,816 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Sean Masters Resume.doc
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/04 22:21:13 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\iTunes.lnk
< End of report >
  • 0

#6
Essexboy
Posted 29 April 2009 - 01:58 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Looking better :) How is your computer running on completion of this part

Run OTList2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Files
c:\windows\VG9ieSBNYXN0ZXJz

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

THEN

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
  • 0

#7
soulpurpose
Posted 29 April 2009 - 07:56 AM

soulpurpose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey there. It is running much better! Acting normal now..

========== FILES ==========
c:\windows\VG9ieSBNYXN0ZXJz moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LN0JUHBA\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2RPYSBCD\Generic[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2RPYSBCD\Please-Help-get-rid-WIN32-Cryptor-Virus-t237210[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_230.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04292009_094200

Files moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LN0JUHBA\iframe[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2RPYSBCD\Generic[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2RPYSBCD\Please-Help-get-rid-WIN32-Cryptor-Virus-t237210[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_230.dat not found!

Registry entries deleted on Reboot...



HERE IS THE LOG FOR MBAM...................

Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 5.1.2600 Service Pack 3

4/29/2009 10:06:10 AM
mbam-log-2009-04-29 (10-06-10).txt

Scan type: Quick Scan
Objects scanned: 77606
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 26
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by soulpurpose, 29 April 2009 - 08:08 AM.

  • 0

#8
Essexboy
Posted 29 April 2009 - 01:24 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Well that cleared the waifs and strays in the registry for me :) I will remove my stuff and if you could run for 24 hours and let me know how it is going

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTListit and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#9
soulpurpose
Posted 30 April 2009 - 03:43 PM

soulpurpose

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey there. Everything seems to be o.k. at this point. No problems yet! (Knock on Wood).... Just need to download those programs you told me about and that should wrap it up! Thanks so much for your help....Couldn't have done it without ya!! :)
  • 0

#10
Essexboy
Posted 30 April 2009 - 03:58 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Glad to be of assistance - keep safe
  • 0

#11
Essexboy
Posted 02 May 2009 - 04:28 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP