Severely Infected [Solved] [Closed] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Severely Infected [Solved] [Closed] Can not remove severe infection, tried numerous times.

#1 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 17 August 2009 - 05:08 PM

Hi, I came here in hopes of finding help to deal with this issue. I do not know how I was infected but ever since I have been, everytime I do a search on firefox or IE I immediately get redirected to another website, they are usually random websites such as unknown search engines and such. Other times the advertisements on websites get replaced by Male penis enlargement advertisements. Though it was a bit funny at first, it just got really annoying later on. The name of the advertisement was "Vimax". I looked up the symptoms of this spyware online and it showed me that it maybe CoolWebSearch. I ran about 5 McAfee scans and it detected one trojan: File: NTOSKRNL-HOOK. Detection Name: Generic Rootkit.d!rootkit(Trojan). I scanned again today and it not only showed the NTOSKRNL-HOOK, but also another Trojan which it quarantined: Generic.dx. Even though I've scanned and deleted this detection 3 times, it eventually comes back again. The infection(s) on my pc also disable me from visiting certain anti virus websites, and also prevent me from visiting the windows update website, it says that the page cant be displayed, not available, "Oops! This link appears to be broken.". It has also disabled my McAfee updates so whenever it tries to auto update, it gives me a message saying that it has failed and to reinstall it. It also disabled HiJack This and Malwarebyte's. As soon as I launch the programs nothing happens. It sometimes freezes my computer upon start up. Another thing, I do not know weather this issue is related to the infection but upon start up I receive a error dialog which says Internet Explorer Error Can not find file:///. I have not done anything to my IE files. I also have OTL and RootRppeal logs. I would very much appreciate it if someone could help me get this resolved.


OTL:


OTL logfile created on: 8/17/2009 4:21:40 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.23 Mb Total Physical Memory | 231.54 Mb Available Physical Memory | 51.77% Memory free
1.03 Gb Paging File | 0.72 Gb Available in Paging File | 69.89% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.92 Gb Total Space | 164.72 Gb Free Space | 86.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOSSANI
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/07/03 09:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/07/20 11:05:27 | 00,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\VTTimer.exe
PRC - [2008/07/20 11:05:27 | 00,147,456 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\System32\VTtrayp.exe
PRC - [2007/11/01 18:12:38 | 00,582,992 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2009/01/18 18:38:36 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
PRC - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe
PRC - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/08/04 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/06 05:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/07/03 09:49:06 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2007/11/01 18:12:38 | 00,265,040 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcuimgr.exe
PRC - [2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe -- (EpsonBidirectionalService [Auto | Running])
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/24 16:01:34 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/03 09:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2007/11/07 09:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe -- (McShield [Unknown | Running])
SRV - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/02/17 11:59:00 | 02,794,234 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - File not found -- -- (npkcmsvc [Auto | Stopped])
SRV - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService [On_Demand | Stopped])
SRV - [2009/01/21 13:08:06 | 01,095,560 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService [On_Demand | Stopped])
SRV - [2009/06/24 13:25:57 | 00,361,216 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
SRV - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc [Auto | Running])
SRV - [2009/04/27 14:21:36 | 00,028,928 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll -- (UxTuneUp [Auto | Running])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 07:36:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/23 18:38:38 | 00,000,000 | ---D | M]

[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions
[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/23 18:41:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/07/14 12:27:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions
[2009/06/24 07:53:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/07/10 18:44:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/07/13 13:11:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/24 21:04:24 | 00,004,207 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\FireFox\Profiles\5wad0x6y.default\searchplugins\aim-search.xml
[2009/07/17 11:35:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/09 18:28:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/05/21 11:33:58 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/26 11:40:34 | 00,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\mozilla firefox\plugins\npdnu.dll
[2009/05/18 18:58:53 | 00,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Universal Installer] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.7.109.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://disteng.nefficient.com/disteng/neff...ffyLauncher.cab (NeffyLauncherCtl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.105,85.255.112.21
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/20 10:00:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 14 Days ==========

[2009/08/17 16:18:54 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:17:10 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/17 16:17:07 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/17 16:17:06 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/17 16:17:06 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/17 16:17:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/17 16:16:28 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\moofoobtes.exe
[2009/08/17 16:12:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/17 16:12:11 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 16:12:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/17 14:36:37 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/17 14:35:48 | 00,001,819 | ---- | C] () -- C:\Documents and Settings\user\Desktop\i j j i.lnk
[2009/08/17 14:35:43 | 00,000,000 | ---D | C] -- C:\ijji
[2009/08/17 14:34:48 | 00,157,144 | ---- | C] (NHN Corporation) -- C:\WINDOWS\System32\PubPlugin.dll
[2009/08/17 14:34:48 | 00,058,800 | ---- | C] (NHN USA Corp.) -- C:\WINDOWS\System32\ijjiPlugin2.dll
[2009/08/17 14:34:48 | 00,000,000 | ---D | C] -- C:\Temp
[2009/08/17 14:34:47 | 00,710,064 | ---- | C] (NHN USA) -- C:\WINDOWS\System32\ijjiSetup.exe
[2009/08/17 14:34:47 | 00,058,800 | ---- | C] (NHN USA Inc.) -- C:\WINDOWS\System32\ijjiProcessRestarter.exe
[2009/08/17 14:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\NHN USA
[2009/08/14 17:21:32 | 00,000,227 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Throw Me That Pack.mp3
[2009/08/13 22:21:49 | 06,784,719 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Fergie - London Bridge.mp3
[2009/08/13 17:35:42 | 07,891,405 | ---- | C] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:30:38 | 08,974,286 | ---- | C] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 15:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\My Received Files
[2009/08/13 14:23:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\GTA San Andreas User Files
[2009/08/13 11:42:48 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files - Modified Within 14 Days ==========

[2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:17:10 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/17 16:16:28 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\moofoobtes.exe
[2009/08/17 16:12:11 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 16:01:56 | 00,017,961 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/08/17 16:01:56 | 00,000,484 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/08/17 16:01:52 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/17 16:01:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/17 16:01:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/17 15:51:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/08/17 14:40:39 | 00,000,031 | ---- | M] () -- C:\WINDOWS\GunzLauncher.INI
[2009/08/17 14:37:14 | 00,001,819 | ---- | M] () -- C:\Documents and Settings\user\Desktop\i j j i.lnk
[2009/08/17 14:36:37 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/17 12:32:24 | 04,269,896 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/08/17 10:49:10 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/08/16 16:51:08 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/15 12:23:41 | 06,784,719 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Fergie - London Bridge.mp3
[2009/08/14 17:21:32 | 00,000,227 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Throw Me That Pack.mp3
[2009/08/13 17:36:07 | 07,891,405 | ---- | M] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:31:06 | 08,974,286 | ---- | M] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 11:42:48 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/08/13 10:52:13 | 00,002,277 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Google Chrome.lnk
[2009/08/13 10:17:33 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== LOP Check ==========

[2009/08/17 16:17:06 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/24 13:24:24 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
[2009/07/17 10:48:47 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2008/09/13 15:10:24 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F481FC18-57D5-4479-B2FB-083BFF223F8F}
[2009/07/04 09:19:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/03/29 20:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMV Converter Studio
[2009/05/10 18:38:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/07/10 19:42:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2009/07/30 17:50:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2009/05/22 18:01:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/07/18 08:28:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/27 13:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2009/06/24 13:25:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/07/04 09:20:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/07/17 16:57:25 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\user\Application Data
[2009/07/05 22:06:06 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\user\Application Data\.#
[2009/07/04 09:25:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\acccore
[2009/05/10 18:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVS4YOU
[2009/05/06 23:18:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Axara
[2009/06/23 16:35:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Bioshock
[2009/02/10 19:15:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\EPSON
[2009/01/28 18:24:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\fizzy
[2009/05/11 17:22:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FMZilla
[2009/07/07 08:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GetRightToGo
[2009/07/05 08:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Graboid Inc
[2009/05/10 18:29:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GrabPro
[2008/09/13 15:09:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\IGN_DLM
[2009/08/17 14:37:00 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\user\Application Data\ijjigame
[2008/08/12 20:18:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ImTOO Software Studio
[2009/04/23 18:47:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\LimeWire
[2009/02/17 07:41:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Nexon
[2008/08/13 08:48:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\NPLUTO Corporation
[2009/05/10 18:37:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Orbit
[2009/06/17 09:42:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Sahmon Games
[2009/03/24 19:53:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2009/06/24 13:25:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TuneUp Software
[2009/04/29 21:29:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Ventrilo
[2009/08/17 16:01:56 | 00,000,484 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2009/08/17 10:49:10 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/16 16:51:08 | 00,000,922 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/17 15:51:00 | 00,000,974 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/06/24 10:21:49 | 00,000,338 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/06/24 10:21:48 | 00,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/08/17 16:01:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90EF0C9C
< End of report >
























Extras:
OTL Extras logfile created on: 8/17/2009 4:23:07 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.23 Mb Total Physical Memory | 206.61 Mb Available Physical Memory | 46.20% Memory free
1.03 Gb Paging File | 0.71 Gb Available in Paging File | 68.47% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.92 Gb Total Space | 164.72 Gb Free Space | 86.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOSSANI
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"56853:TCP" = 56853:TCP:*:Enabled:Pando Media Booster
"56853:UDP" = 56853:UDP:*:Enabled:Pando Media Booster
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"56980:TCP" = 56980:TCP:*:Enabled:Pando Media Booster
"56980:UDP" = 56980:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1DCC7418-2089-4BDD-B321-3771956160FC}" = ijji Auto Installer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2E1DE390-879C-4291-9B68-DA032D2CC98E}" = AudioEdit Deluxe
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{5109FC1B-2250-4EDE-903A-1662B69F2001}" = Darkeden
"{54AE3C08-D7D8-45FF-9348-0B4BE0D5A6CB}" = Comcast Universal Installer v1.2
"{55A29068-F2CE-456C-9148-C869879E2357}" = TuneUp Utilities 2009
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6C5D7191-140A-11D6-B5A0-0050DA208A93}" = ArcSoft PhotoImpression
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}" = EPSON Photo Print
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_6" = AIM 6
"Cheat Engine 5.5_is1" = Cheat Engine 5.5
"C-Media Audio" = C-Media 3D Audio
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DFX for Windows Media Player" = DFX for Windows Media Player
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON Scanner" = EPSON Scan
"ERUNT_is1" = ERUNT 1.1j
"Free YouTube to Mp3 Converter_is1" = Free YouTube to Mp3 Converter version 3.1
"Gunz" = ijji - Gunz
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee SecurityCenter
"Neffy" = Neffy 1,2,0,22
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nsauditor_is1" = Nsauditor 1.9.3
"Setup Wizard EPIC" = EPSON EIC
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Spyware Doctor" = Spyware Doctor 6.0
"Uninstall_is1" = Uninstall 1.0.0.1
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"XAimer_is1" = XAimer
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"ijji.com" = ijji

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/17/2009 4:29:12 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:29:15 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:29:15 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:29:15 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:29:15 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:59:22 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/17/2009 4:59:22 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:59:48 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: A connection with the server could not be established

Error - 8/17/2009 4:59:48 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/17/2009 4:59:49 PM | Computer Name = DOSSANI | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7034
Description = The Viewpoint Manager Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7034
Description = The EPSON Printer Status Agent2 service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The McAfee SystemGuards service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Run the configured recovery program.

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 8/17/2009 4:58:19 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 8/17/2009 5:01:33 PM | Computer Name = DOSSANI | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3


< End of report >






























ROOT REPEAL LOG:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/17 16:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF55D3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A45000 Size: 8192 File Visible: No Signed: -
Status: -

Name: ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys
Address: 0xF587E000 Size: 192512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rtrpeal.sys
Image Path: C:\WINDOWS\system32\drivers\rtrpeal.sys
Address: 0xF011C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf73d7514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73c6282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf73c6474

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf73d7d00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73d7fb8

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf73d63fa

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf73d8422

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73d77d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73c5f32

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys

==EOF==

#2 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 17 August 2009 - 09:09 PM

Hi ADLoc,Posted Imageto G2G Malware Removal Forum!

My name is Summerpb and I am here to help you.

I am still a trainee so all my posts will be checked by an Expert. It's your advantage that there are two people looking at your log but responses may be a little delayed so please be patient.

Some points you need to remember while we clean your computer:
  • Please do not run any other tools unless I ask you to.

  • Perform all instructions in the same order as posted. If you need clarification please don't hesitate to ask before you proceed.

  • Print or save my responses as there will be times when you will not be able access them.

  • Please continue to follow my instructions until I tell you your machine looks clean because even if your computer seems better after few runs it does not mean we are done.

  • Make sure you subscribe to this topic so you get notified when I respond. This will facilitate the cleaning of your machine and at the same time will ensure that you don't miss any instruction.
I am currently reviewing your logs and I will get back to you shortly.


Summerpb :)

#3 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 18 August 2009 - 02:36 AM

Hi ADLoc,

Please carefully follow the instructions below:

1. Disable Antispyware Programs

I noticed that your machine is running with 2 anti-spyware programs. This may cause conflict and may prevent one another from working properly, I suggest that you allow only one anti-spyware to run at a time.

Just right click on the System Tray icon then choose Disable antivirus and antispyware protection.
If you are having difficulty disabling your protective programs please refer here.




2. Root Repeal Wipe File

A.
  • Double click on Rootrepeal.exe
  • Click on Drivers tab
  • Then, click on Scan button.
  • Right click on this image path:
    C:\WINDOWS\system32\drivers\ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys
  • Choose wipe file


B.
  • Double click on Rootrepeal.exe
  • Click on Hidden Services tab
  • Then, click on Scan button.
  • Right click on this image path:
    C:\WINDOWS\system32\drivers\ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys
  • Choose wipe file


Please reboot your computer



3. Combofix
Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. MBAM

Let's try if MBAM will work this time. Delete your previous copy then follow the instructions below.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please post ComboFix.txt, MBAM log and a fresh OTL scan log.

Summerpb :)

#4 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 18 August 2009 - 08:56 AM

Firstly, I would like to thank you for your diligent reply. Here are the logs.





OTL Log:







OTL logfile created on: 8/18/2009 9:46:31 AM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.23 Mb Total Physical Memory | 230.18 Mb Available Physical Memory | 51.47% Memory free
1.03 Gb Paging File | 0.77 Gb Available in Paging File | 74.50% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.92 Gb Total Space | 164.72 Gb Free Space | 86.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOSSANI
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/07/20 11:05:27 | 00,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\VTTimer.exe
PRC - [2008/07/20 11:05:27 | 00,147,456 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\System32\VTtrayp.exe
PRC - [2007/11/01 18:12:38 | 00,582,992 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2009/01/18 18:38:36 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
PRC - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe
PRC - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe
PRC - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2007/11/01 18:12:38 | 00,265,040 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcuimgr.exe
PRC - [2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe -- (EpsonBidirectionalService [Auto | Running])
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/24 16:01:34 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2007/11/07 09:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe -- (McShield [Unknown | Running])
SRV - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled | Stopped])
SRV - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2009/02/17 11:59:00 | 02,794,234 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - File not found -- -- (npkcmsvc [Auto | Stopped])
SRV - [2009/06/24 13:25:57 | 00,361,216 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
SRV - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc [Auto | Running])
SRV - [2009/04/27 14:21:36 | 00,028,928 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll -- (UxTuneUp [Auto | Running])
SRV - [2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 07:36:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/04/23 18:38:38 | 00,000,000 | ---D | M]

[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions
[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/23 18:41:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/07/14 12:27:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions
[2009/06/24 07:53:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/07/10 18:44:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/07/13 13:11:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/24 21:04:24 | 00,004,207 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\FireFox\Profiles\5wad0x6y.default\searchplugins\aim-search.xml
[2009/07/17 11:35:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/09 18:28:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/05/21 11:33:58 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/26 11:40:34 | 00,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\mozilla firefox\plugins\npdnu.dll
[2009/05/18 18:58:53 | 00,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Universal Installer] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.7.109.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://disteng.nefficient.com/disteng/neff...ffyLauncher.cab (NeffyLauncherCtl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/20 10:00:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: UxTuneUp - C:\WINDOWS\System32\uxtuneup.dll (TuneUp Software)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/08/18 08:31:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2009/08/18 08:31:07 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/18 08:31:05 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/18 08:31:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/18 08:31:03 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/18 08:31:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti--Malware
[2009/08/18 08:23:34 | 03,942,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam--setup.exe
[2009/08/18 08:06:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/18 07:56:29 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/08/18 07:56:25 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/08/18 07:56:23 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/08/18 07:52:05 | 00,216,064 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/18 07:52:05 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/18 07:52:05 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/18 07:52:05 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/18 07:52:05 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/18 07:52:05 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/18 07:52:05 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/18 07:52:05 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/08/18 07:51:55 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/18 07:51:38 | 03,124,187 | R--- | C] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/08/18 07:29:19 | 00,000,692 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to SysRestorePoint.lnk
[2009/08/18 07:29:13 | 00,000,626 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC.lnk
[2009/08/18 07:29:04 | 00,000,650 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to RtRpeal.lnk
[2009/08/17 16:18:54 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:12:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/17 16:12:11 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 16:12:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/17 14:36:37 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/17 14:35:48 | 00,001,819 | ---- | C] () -- C:\Documents and Settings\user\Desktop\i j j i.lnk
[2009/08/17 14:35:43 | 00,000,000 | ---D | C] -- C:\ijji
[2009/08/17 14:34:48 | 00,157,144 | ---- | C] (NHN Corporation) -- C:\WINDOWS\System32\PubPlugin.dll
[2009/08/17 14:34:48 | 00,058,800 | ---- | C] (NHN USA Corp.) -- C:\WINDOWS\System32\ijjiPlugin2.dll
[2009/08/17 14:34:48 | 00,000,000 | ---D | C] -- C:\Temp
[2009/08/17 14:34:47 | 00,710,064 | ---- | C] (NHN USA) -- C:\WINDOWS\System32\ijjiSetup.exe
[2009/08/17 14:34:47 | 00,058,800 | ---- | C] (NHN USA Inc.) -- C:\WINDOWS\System32\ijjiProcessRestarter.exe
[2009/08/17 14:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\NHN USA
[2009/08/14 17:21:32 | 00,000,227 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Throw Me That Pack.mp3
[2009/08/13 22:21:49 | 06,784,719 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Fergie - London Bridge.mp3
[2009/08/13 17:35:42 | 07,891,405 | ---- | C] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:30:38 | 08,974,286 | ---- | C] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 15:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\My Received Files
[2009/08/13 14:23:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\GTA San Andreas User Files
[2009/08/13 11:42:48 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files - Modified Within 14 Days ==========

[2009/08/18 09:39:09 | 00,000,484 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/08/18 09:39:07 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/18 09:38:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/18 09:38:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/18 09:37:28 | 00,018,229 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/08/18 09:37:17 | 04,805,436 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/08/18 08:51:03 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/08/18 08:31:07 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/18 08:24:50 | 03,942,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam--setup.exe
[2009/08/18 08:05:00 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/18 08:04:07 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/18 07:56:29 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/08/18 07:51:38 | 03,124,187 | R--- | M] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/08/18 07:29:19 | 00,000,692 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to SysRestorePoint.lnk
[2009/08/18 07:29:13 | 00,000,626 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC.lnk
[2009/08/18 07:29:04 | 00,000,650 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to RtRpeal.lnk
[2009/08/17 16:51:02 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:12:11 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 14:40:39 | 00,000,031 | ---- | M] () -- C:\WINDOWS\GunzLauncher.INI
[2009/08/17 14:37:14 | 00,001,819 | ---- | M] () -- C:\Documents and Settings\user\Desktop\i j j i.lnk
[2009/08/17 14:36:37 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/15 12:23:41 | 06,784,719 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Fergie - London Bridge.mp3
[2009/08/14 17:21:32 | 00,000,227 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Throw Me That Pack.mp3
[2009/08/13 17:36:07 | 07,891,405 | ---- | M] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:31:06 | 08,974,286 | ---- | M] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 11:42:48 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/08/13 10:52:13 | 00,002,277 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Google Chrome.lnk
[2009/08/13 10:17:33 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/08 12:10:14 | 00,216,064 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== LOP Check ==========

[2009/08/18 08:31:04 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/24 13:24:24 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
[2008/09/13 15:10:24 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F481FC18-57D5-4479-B2FB-083BFF223F8F}
[2009/07/04 09:19:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/03/29 20:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMV Converter Studio
[2009/05/10 18:38:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/07/10 19:42:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2009/07/30 17:50:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2009/05/22 18:01:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/08/18 07:28:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/27 13:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2009/06/24 13:25:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/07/04 09:20:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/08/18 08:31:09 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\user\Application Data
[2009/07/04 09:25:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\acccore
[2009/05/10 18:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVS4YOU
[2009/05/06 23:18:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Axara
[2009/06/23 16:35:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Bioshock
[2009/02/10 19:15:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\EPSON
[2009/01/28 18:24:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\fizzy
[2009/05/11 17:22:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FMZilla
[2009/07/07 08:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GetRightToGo
[2009/07/05 08:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Graboid Inc
[2009/05/10 18:29:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GrabPro
[2008/09/13 15:09:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\IGN_DLM
[2009/08/17 14:37:00 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\user\Application Data\ijjigame
[2008/08/12 20:18:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ImTOO Software Studio
[2009/04/23 18:47:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\LimeWire
[2009/02/17 07:41:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Nexon
[2008/08/13 08:48:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\NPLUTO Corporation
[2009/05/10 18:37:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Orbit
[2009/06/17 09:42:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Sahmon Games
[2009/03/24 19:53:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2009/06/24 13:25:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TuneUp Software
[2009/04/29 21:29:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Ventrilo
[2009/08/18 09:39:09 | 00,000,484 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/17 16:51:02 | 00,000,922 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/18 08:51:03 | 00,000,974 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/06/24 10:21:49 | 00,000,338 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/06/24 10:21:48 | 00,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/08/18 09:38:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90EF0C9C
< End of report >


























MBAM-LOG:



Malwarebytes' Anti-Malware 1.40
Database version: 2648
Windows 5.1.2600 Service Pack 3

8/18/2009 9:37:03 AM
mbam-log-2009-08-18 (09-37-03).txt

Scan type: Quick Scan
Objects scanned: 94480
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Adware Professional (Rogue.AdwareProfessional) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\list.txt (Malware.Trace) -> Quarantined and deleted successfully.

















ComboFix Log:









ComboFix 09-08-10.06 - user 08/18/2009 7:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.191 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\.#
c:\documents and settings\user\Application Data\.#\MBX@160@3941A0.###
c:\documents and settings\user\Application Data\.#\MBX@160@3941D0.###
c:\documents and settings\user\Application Data\.#\MBX@160@394200.###
c:\documents and settings\user\Application Data\.#\MBX@87C@394210.###
c:\documents and settings\user\Application Data\.#\MBX@87C@394240.###
c:\documents and settings\user\Application Data\.#\MBX@87C@394270.###
c:\documents and settings\user\Application Data\.#\MBX@8AC@3941A0.###
c:\documents and settings\user\Application Data\.#\MBX@8AC@3941D0.###
c:\documents and settings\user\Application Data\.#\MBX@8AC@394200.###
c:\documents and settings\user\Application Data\.#\MBX@C14@3941A0.###
c:\documents and settings\user\Application Data\.#\MBX@C14@3941D0.###
c:\documents and settings\user\Application Data\.#\MBX@C14@394200.###
c:\documents and settings\user\Application Data\.#\MBX@E74@3941A0.###
c:\documents and settings\user\Application Data\.#\MBX@E74@3941D0.###
c:\documents and settings\user\Application Data\.#\MBX@E74@394200.###
c:\windows\system32\drivers\ESQULwsrfqjwbmkjoupquxduyuwfpcbnykspy.sys
c:\windows\system32\ESQULixxerxrsmntalqysooylvfvbibiciwso.dll
c:\windows\system32\ESQULpuxnopponmbojivbuaofgqpmyicvhpyb.dll
c:\windows\system32\ESQULzcounter
c:\windows\system32\winio.vxd

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESQULserv.sys
-------\Legacy_OREANS32
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-17 21:12 . 2009-08-17 21:12 -------- d-----w- c:\program files\ERUNT
2009-08-17 19:37 . 2009-08-17 19:35 480688 ----a-w- c:\documents and settings\user\Application Data\ijjigame\ijjistarter2.exe
2009-08-17 19:35 . 2009-08-17 19:35 -------- d-----w- C:\ijji
2009-08-17 19:34 . 2009-08-17 19:34 -------- d-----w- C:\Temp
2009-08-17 19:34 . 2009-05-20 06:49 83376 ----a-w- c:\temp\npijjiautoinstallpluginff.dll
2009-08-17 19:34 . 2009-01-28 19:47 157144 ----a-w- c:\windows\system32\PubPlugin.dll
2009-08-17 19:34 . 2008-06-12 04:01 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2009-08-17 19:34 . 2009-08-17 19:34 -------- d-----w- c:\program files\NHN USA
2009-08-17 19:34 . 2009-05-26 22:31 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-08-17 19:34 . 2009-05-13 01:48 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-08-13 15:54 . 2009-08-13 15:54 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-07-30 22:50 . 2009-07-30 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-07-30 22:48 . 2009-07-30 22:48 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-30 12:50 . 2009-07-30 12:51 -------- d-----w- c:\program files\Nsauditor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 12:28 . 2008-09-01 23:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 12:25 . 2009-07-17 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-17 19:37 . 2008-08-13 12:51 -------- d--h--w- c:\documents and settings\user\Application Data\ijjigame
2009-08-17 19:34 . 2008-07-20 16:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 18:31 . 2009-01-27 01:15 -------- d-----w- c:\program files\Cheat Engine
2009-08-13 15:55 . 2009-04-23 23:38 -------- d-----w- c:\program files\Java
2009-07-25 10:23 . 2009-04-23 23:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 22:12 . 2009-04-18 21:37 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-15 19:57 . 2009-07-15 19:57 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2009-07-11 13:00 . 2009-06-24 18:24 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-07-11 00:55 . 2009-07-11 00:54 -------- d-----w- c:\program files\DFX
2009-07-11 00:42 . 2009-07-11 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\DFX
2009-07-11 00:41 . 2009-07-11 00:41 -------- d-----w- c:\program files\Common Files\DFX
2009-07-07 14:21 . 2009-07-07 14:21 -------- d-----w- c:\program files\Joymax
2009-07-07 13:50 . 2009-05-07 04:17 -------- d-----w- c:\documents and settings\user\Application Data\GetRightToGo
2009-07-05 13:30 . 2009-07-05 13:30 -------- d-----w- c:\documents and settings\user\Application Data\Graboid Inc
2009-07-04 14:25 . 2009-07-04 14:25 -------- d-----w- c:\documents and settings\user\Application Data\acccore
2009-07-04 14:24 . 2009-07-04 14:13 -------- d-----w- c:\program files\AIM6
2009-07-04 14:20 . 2009-05-25 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-04 14:19 . 2009-07-04 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-07-04 14:14 . 2009-05-25 02:03 -------- d-----w- c:\program files\Common Files\AOL
2009-07-01 15:17 . 2009-07-01 14:51 -------- d-----w- c:\documents and settings\user\Application Data\MozillaControl
2009-06-26 18:19 . 2009-06-25 23:23 -------- d-----w- c:\program files\XAimer
2009-06-24 21:01 . 2009-06-24 15:21 -------- d-----w- c:\program files\McAfee
2009-06-24 18:26 . 2009-06-24 18:26 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-06-24 18:25 . 2009-06-24 18:25 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-06-24 18:25 . 2009-06-24 18:25 -------- d-----w- c:\documents and settings\user\Application Data\TuneUp Software
2009-06-24 18:25 . 2009-06-24 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-24 18:24 . 2009-06-24 18:24 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-24 15:29 . 2008-09-11 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-24 15:22 . 2009-06-24 15:21 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-24 15:21 . 2009-06-24 15:21 -------- d-----w- c:\program files\McAfee.com
2009-06-24 14:05 . 2009-06-24 14:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-24 14:04 . 2009-06-23 21:18 17901 --sha-w- c:\windows\system32\klog.dat
2009-06-24 13:43 . 2009-06-24 13:43 63133474 ----a-w- C:\SYM_REGISTRY_BACKUP.reg
2009-06-23 21:35 . 2009-06-23 21:31 -------- d-----w- c:\documents and settings\user\Application Data\Bioshock
2009-06-23 21:31 . 2009-06-23 21:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-23 21:20 . 2009-06-23 21:17 -------- d-----w- c:\program files\CyberLeadingCorp
2009-06-19 00:21 . 2009-06-19 00:20 20481 ----a-w- c:\windows\system32\SystemsHook.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-09 23:27 . 2009-06-09 23:27 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-08-19 23:40 . 2008-08-19 23:39 1817684 ----a-w- c:\program files\get_video.mp3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]
"Desktop Software"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"Google Update"="c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2008-07-20 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2008-07-20 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"EPSON Stylus CX5200"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
"RaidTool"=c:\program files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56853:TCP"= 56853:TCP:Pando Media Booster
"56853:UDP"= 56853:UDP:Pando Media Booster
"56980:TCP"= 56980:TCP:Pando Media Booster
"56980:UDP"= 56980:UDP:Pando Media Booster

R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [6/24/2009 1:26 PM 604416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2009 9:03 PM 24652]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\user\Desktop\RohanBotEn1.0.23b\NtProcDrv.sys --> c:\documents and settings\user\Desktop\RohanBotEn1.0.23b\NtProcDrv.sys [?]
S3 Revolution1;Revolution1;\??\c:\docume~1\user\LOCALS~1\Temp\Rar$EX00.110\SHAK3.sys --> c:\docume~1\user\LOCALS~1\Temp\Rar$EX00.110\SHAK3.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]
S3 XDva212;XDva212;\??\c:\windows\system32\XDva212.sys --> c:\windows\system32\XDva212.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8833F56C-6BB1-4C63-7AEA-59A008D878D3}]
c:\windows\system32\svhost.exe s
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 20:37]

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-17 21:46]

2009-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-17 21:46]

2009-06-24 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 18:32]

2009-06-24 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 18:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 08:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-08-18 8:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 13:07

Pre-Run: 176,951,332,864 bytes free
Post-Run: 176,884,727,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

226 --- E O F --- 2009-07-15 15:35









Thank you for your time in advance.

#5 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 19 August 2009 - 09:15 AM

Hi ADLoc,


Let's remove some malicious files revealed by the logs. :) Please carefully follow the instructions below:

1. Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\svhost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\windows\system32\SystemsHook.dll
C:\windows\system32\GameMon.des 

Folder::
C:\documents and settings\All Users\Application Data\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8833F56C-6BB1-4C63-7AEA-59A008D878D3}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

Driver::
Viewpoint Manager Service
Revolution1
npggsvc

ADS::
C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
C:\Documents and Settings\All Users\Application Data\TEMP:90EF0C9C


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



2. JAVA Update

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586.exe and select "Run as an Administrator.")




3. Kaspersky On-line Scan

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image


  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply



4. VirScan

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\system32\PubPlugin.dll
      c:\windows\system32\ijjiPlugin2.dll
      c:\windows\system32\klog.dat


  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



Please post combofix.txt, KasReport.txt, Virscan result and a fresh OTL scan log.


Summer :)

#6 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 22 August 2009 - 11:48 AM

Thankyou for your quick response, the reason it has taken me so long to complete the instructions is because of the Kaspersky. It keeps freezing at random intervals, though it did finish one time, I accidently saved it as a web page file instead of a txt. It show's 2 threats and 5 objects found and I have the locations. So would it be okay if I gave you the locations?

#7 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 23 August 2009 - 08:12 AM

Hi ADLoc,

Please post the link of kaspersky log report or just copy and paste its content here. Also, can you please post the log created by combofix when you ran the combofix script and the result of the files I asked you to upload to VirScan.

Thanks,

Summer :)

#8 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 23 August 2009 - 09:48 AM

file:///C:/Documents%20and%20Settings/user/Desktop/KasperSky.html

Is the link to the kaspersky scan, I also attached it.

This is the VirScan:


VirSCAN.org Scanned Report :
Scanned time : 2009/08/23 09:56:58 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : PubPlugin.dll
File Size : 158952 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 78a8a43f6c7e47b6edd1aeed938fed8a
SHA1 : 9f321e60473e2d2f47e97aafea53edbf5bfc698d
Online report : http://virscan.org/report/4ac129b1edd60ba9...31e3c6c91b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20090822190221 2009-08-22 0.41 -
AhnLab V3 2009.08.22.00 2009.08.22 2009-08-22 0.99 -
AntiVir 8.2.1.3 7.1.5.149 2009-08-21 0.21 -
Antiy 2.0.18 20090823.2728168 2009-08-23 0.17 -
Arcavir 2009 200908221920 2009-08-22 0.16 -
Authentium 5.1.1 200908221121 2009-08-22 2.05 -
AVAST! 4.7.4 090822-0 2009-08-22 0.01 -
AVG 8.5.288 270.13.64/2321 2009-08-23 2.78 -
BitDefender 7.81008.3912175 7.27302 2009-08-23 3.64 -
CA (VET) 9.0.0.143 31.6.6693 2009-08-21 13.56 -
ClamAV 0.95.2 9727 2009-08-22 0.04 -
Comodo 3.10 2070 2009-08-23 1.29 -
CP Secure 1.1.0.715 2009.08.23 2009-08-23 13.13 -
Dr.Web 4.44.0.9170 2009.08.23 2009-08-23 6.12 -
F-Prot 4.4.4.56 20090822 2009-08-22 1.88 -
F-Secure 7.02.73807 2009.08.22.01 2009-08-22 0.13 -
Fortinet 2.81-3.120 10.747 2009-08-22 0.28 -
GData 19.7328/19.448 20090823 2009-08-23 5.18 -
ViRobot 20090822 2009.08.22 2009-08-22 0.88 -
Ikarus T3.1.01.68 2009.08.23.73338 2009-08-23 3.63 -
JiangMin 11.0.800 2009.08.23 2009-08-23 8.61 -
Kaspersky 5.5.10 2009.08.23 2009-08-23 0.09 -
KingSoft 2009.2.5.15 2009.8.23.21 2009-08-23 0.53 -
McAfee 5.3.00 5717 2009-08-22 3.10 -
Microsoft 1.4903 2009.08.22 2009-08-22 6.23 -
Norman 6.01.09 6.01.00 2009-08-21 2.00 -
Panda 9.05.01 2009.08.22 2009-08-22 1.19 -
Trend Micro 8.700-1004 6.388.08 2009-08-23 0.03 -
Quick Heal 10.00 2009.08.22 2009-08-22 1.35 -
Rising 20.0 21.43.44.00 2009-08-21 0.88 -
Sophos 2.89.1 4.44 2009-08-23 3.34 -
Sunbelt 5350 5350 2009-08-22 2.10 -
Symantec 1.3.0.24 20090822.004 2009-08-22 0.05 -
nProtect 20090823.01 5121977 2009-08-23 6.66 -
The Hacker 6.3.4.3 v00386 2009-08-22 0.79 -
VBA32 3.12.10.9 20090822.1502 2009-08-22 2.17 -
VirusBuster 4.5.11.10 10.112.13/1801372 2009-08-22 2.38 -


































VirSCAN.org Scanned Report :
Scanned time : 2009/08/23 10:00:09 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : ijjiPlugin2.dll
File Size : 58800 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : c9e022659ab6aa3573753bfe2df7652b
SHA1 : a6c33914a2c0edc853e8a1b89bd1c20a3bee84c7
Online report : http://virscan.org/report/ef9157472bb05c3f...78a0d4498b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20090822190221 2009-08-22 0.40 -
AhnLab V3 2009.08.22.00 2009.08.22 2009-08-22 0.84 -
AntiVir 8.2.1.3 7.1.5.149 2009-08-21 0.17 -
Antiy 2.0.18 20090823.2728168 2009-08-23 0.12 -
Arcavir 2009 200908221920 2009-08-22 0.05 -
Authentium 5.1.1 200908221121 2009-08-22 1.25 -
AVAST! 4.7.4 090822-0 2009-08-22 0.01 -
AVG 8.5.288 270.13.64/2321 2009-08-23 0.35 -
BitDefender 7.81008.3912175 7.27302 2009-08-23 3.35 -
CA (VET) 9.0.0.143 31.6.6693 2009-08-21 6.80 -
ClamAV 0.95.2 9727 2009-08-22 0.02 -
Comodo 3.10 2070 2009-08-23 0.71 -
CP Secure 1.1.0.715 2009.08.23 2009-08-23 12.36 -
Dr.Web 4.44.0.9170 2009.08.23 2009-08-23 5.21 -
F-Prot 4.4.4.56 20090822 2009-08-22 1.21 -
F-Secure 7.02.73807 2009.08.22.01 2009-08-22 0.11 -
Fortinet 2.81-3.120 10.747 2009-08-22 0.33 -
GData 19.7328/19.448 20090823 2009-08-23 3.96 -
ViRobot 20090822 2009.08.22 2009-08-22 0.80 -
Ikarus T3.1.01.68 2009.08.23.73338 2009-08-23 3.60 -
JiangMin 11.0.800 2009.08.23 2009-08-23 3.73 -
Kaspersky 5.5.10 2009.08.23 2009-08-23 0.09 -
KingSoft 2009.2.5.15 2009.8.23.21 2009-08-23 0.59 -
McAfee 5.3.00 5717 2009-08-22 3.32 -
Microsoft 1.4903 2009.08.22 2009-08-22 6.37 -
Norman 6.01.09 6.01.00 2009-08-21 4.01 -
Panda 9.05.01 2009.08.22 2009-08-22 4.10 -
Trend Micro 8.700-1004 6.388.08 2009-08-23 0.03 -
Quick Heal 10.00 2009.08.22 2009-08-22 2.93 -
Rising 20.0 21.43.44.00 2009-08-21 1.14 -
Sophos 2.89.1 4.44 2009-08-23 3.82 -
Sunbelt 5350 5350 2009-08-22 1.55 -
Symantec 1.3.0.24 20090822.004 2009-08-22 0.05 -
nProtect 20090823.01 5121977 2009-08-23 6.80 -
The Hacker 6.3.4.3 v00386 2009-08-22 0.82 -
VBA32 3.12.10.9 20090822.1502 2009-08-22 1.92 -
VirusBuster 4.5.11.10 10.112.13/1801372 2009-08-22 2.39 -








































VirSCAN.org Scanned Report :
Scanned time : 2009/08/23 10:27:33 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : klog.dat
File Size : 17901 byte
File Type : Non-ISO extended-ASCII text, with very long lines, with NEL
MD5 : 08863b1623f346db3a40c98a86a400fa
SHA1 : 6b6c719a6d70b7d57cf9579e739f2cac1e5b7d98
Online report : http://virscan.org/report/3a9a7ba7dd3df17c...45e814395e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20090822190221 2009-08-22 0.34 -
AhnLab V3 2009.08.22.00 2009.08.22 2009-08-22 0.81 -
AntiVir 8.2.1.3 7.1.5.149 2009-08-21 0.10 -
Antiy 2.0.18 20090823.2728168 2009-08-23 0.12 -
Arcavir 2009 200908221920 2009-08-22 0.02 -
Authentium 5.1.1 200908221121 2009-08-22 1.24 -
AVAST! 4.7.4 090822-0 2009-08-22 0.00 -
AVG 8.5.288 270.13.64/2321 2009-08-23 0.31 -
BitDefender 7.81008.3912196 7.27303 2009-08-23 3.36 -
CA (VET) 9.0.0.143 31.6.6693 2009-08-21 5.13 -
ClamAV 0.95.2 9727 2009-08-22 0.01 -
Comodo 3.10 2070 2009-08-23 0.70 -
CP Secure 1.1.0.715 2009.08.23 2009-08-23 12.21 -
Dr.Web 4.44.0.9170 2009.08.23 2009-08-23 5.18 -
F-Prot 4.4.4.56 20090822 2009-08-22 1.15 -
F-Secure 7.02.73807 2009.08.22.01 2009-08-22 7.86 -
Fortinet 2.81-3.120 10.747 2009-08-22 0.16 -
GData 19.7331/19.448 20090823 2009-08-23 4.63 -
ViRobot 20090822 2009.08.22 2009-08-22 0.43 -
Ikarus T3.1.01.68 2009.08.23.73338 2009-08-23 3.59 -
JiangMin 11.0.800 2009.08.23 2009-08-23 3.45 -
Kaspersky 5.5.10 2009.08.23 2009-08-23 0.03 -
KingSoft 2009.2.5.15 2009.8.23.21 2009-08-23 0.52 -
McAfee 5.3.00 5717 2009-08-22 3.07 -
Microsoft 1.4903 2009.08.22 2009-08-22 5.53 -
Norman 6.01.09 6.01.00 2009-08-21 4.01 -
Panda 9.05.01 2009.08.22 2009-08-22 0.47 -
Trend Micro 8.700-1004 6.388.11 2009-08-23 0.02 -
Quick Heal 10.00 2009.08.22 2009-08-22 1.10 -
Rising 20.0 21.43.44.00 2009-08-21 0.23 -
Sophos 2.89.1 4.44 2009-08-23 3.23 -
Sunbelt 5350 5350 2009-08-22 1.25 -
Symantec 1.3.0.24 20090823.003 2009-08-23 0.05 -
nProtect 20090823.01 5121977 2009-08-23 6.59 -
The Hacker 6.3.4.3 v00386 2009-08-22 0.85 -
VBA32 3.12.10.9 20090822.1502 2009-08-22 1.92 -
VirusBuster 4.5.11.10 10.112.13/1801372 2009-08-22 2.26 -









I also used the VirScan website to scan one of the picked up files by KasperSky: C:\System Volume Information\_restore{76532ED2-A5F8-4ED6-AED9-BF80D1EEDDF0}\RP197\A0093698.exe Infected: Trojan.Win32.TDSS.aiyc

My Virus scanner McAfee, detected it at the same time and it said blocked and removed.

I did not tamper with any of the others.

This is the OTL:















OTL logfile created on: 8/23/2009 12:01:41 PM - Run 3
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.23 Mb Total Physical Memory | 125.32 Mb Available Physical Memory | 28.02% Memory free
1.03 Gb Paging File | 0.55 Gb Available in Paging File | 52.93% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.92 Gb Total Space | 152.23 Gb Free Space | 80.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DOSSANI
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2008/07/20 11:05:27 | 00,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\VTTimer.exe
PRC - [2008/07/20 11:05:27 | 00,147,456 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\System32\VTtrayp.exe
PRC - [2007/11/01 18:12:38 | 00,582,992 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/08/19 14:26:41 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2009/01/18 18:38:36 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/03/18 14:50:54 | 00,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
PRC - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2009/08/19 14:26:41 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe
PRC - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe
PRC - [2007/11/01 18:12:38 | 00,265,040 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcuimgr.exe
PRC - [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/02/06 18:51:28 | 03,885,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/02/06 17:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2008/12/02 21:16:37 | 00,057,344 | ---- | M] () -- C:\Rohan_Global\Loader.exe
PRC - [2009/07/28 17:32:22 | 00,830,960 | ---- | M] (Google Inc.) -- C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2002/01/29 13:33:14 | 00,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe -- (EpsonBidirectionalService [Auto | Running])
SRV - [2002/07/17 02:03:00 | 00,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2 [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/24 16:01:34 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/08/19 14:26:41 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/01/09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008/01/25 01:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2007/11/07 09:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2007/08/15 12:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2007/07/24 12:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\McShield.exe -- (McShield [Unknown | Running])
SRV - [2007/12/05 10:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [Disabled | Stopped])
SRV - [2007/07/18 12:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- Service key not found. -- (npggsvc [Unknown | Stopped])
SRV - File not found -- -- (npkcmsvc [Auto | Stopped])
SRV - [2009/06/24 13:25:57 | 00,361,216 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TuneUpDefragService.exe -- (TuneUp.Defrag [On_Demand | Stopped])
SRV - [2009/06/24 13:26:02 | 00,604,416 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\TUProgSt.exe -- (TuneUp.ProgramStatisticsSvc [Auto | Running])
SRV - [2009/04/27 14:21:36 | 00,028,928 | ---- | M] (TuneUp Software) -- C:\WINDOWS\System32\uxtuneup.dll -- (UxTuneUp [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {888d99e7-e8b5-46a3-851e-1ec45da1e644}:3.5.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.11
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query="


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/24 07:36:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/19 14:26:42 | 00,000,000 | ---D | M]

[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions
[2009/04/30 06:49:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/23 18:41:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Extensions\mozswing@mozswing.org
[2009/07/14 12:27:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions
[2009/06/24 07:53:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/07/10 18:44:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
[2009/07/13 13:11:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\5wad0x6y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/24 21:04:24 | 00,004,207 | ---- | M] () -- C:\Documents and Settings\user\Application Data\Mozilla\FireFox\Profiles\5wad0x6y.default\searchplugins\aim-search.xml
[2009/07/17 11:35:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/09 18:28:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/05/21 11:33:58 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/09/26 11:40:34 | 00,053,248 | ---- | M] (AOL LLC) -- C:\Program Files\mozilla firefox\plugins\npdnu.dll
[2009/05/18 18:58:53 | 00,239,432 | ---- | M] (Pando Networks) -- C:\Program Files\mozilla firefox\plugins\npPandoWebInst.dll
[2007/04/16 12:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Universal Installer] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.7.109.cab (Reg Error: Key error.)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} http://disteng.nefficient.com/disteng/neff...ffyLauncher.cab (NeffyLauncherCtl Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 68.87.72.134 68.87.77.134
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/20 10:00:26 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/08/23 11:47:22 | 00,001,410 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Global RBF.lnk
[2009/08/23 11:41:12 | 00,000,000 | ---D | C] -- C:\Rohan_Global
[2009/08/23 11:11:12 | 19,466,94019 | ---- | C] () -- C:\Documents and Settings\user\Desktop\RohanBloodFeud_Global (1).exe
[2009/08/23 10:49:58 | 00,000,000 | --SD | C] -- C:\Combo-Fix
[2009/08/22 13:59:41 | 06,605,024 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Paralyzer [With Lyrics] - Finger Eleven.mp3
[2009/08/21 23:00:08 | 07,495,903 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Fort Minor - Where'd You Go w_ lyrics.mp3
[2009/08/21 17:07:57 | 00,003,887 | ---- | C] () -- C:\Documents and Settings\user\Desktop\KasperSky.html
[2009/08/21 10:59:31 | 00,000,000 | ---D | C] -- C:\Program Files\DANCE!ONLINE
[2009/08/21 09:47:16 | 81,141,7038 | ---- | C] () -- C:\Documents and Settings\user\Desktop\DANCE_setup.zip
[2009/08/20 20:22:26 | 09,498,857 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Jay Z - Run This Town ft Rihanna & Kanye West HQ.mp3
[2009/08/20 19:23:33 | 00,000,096 | -H-- | C] () -- C:\WINDOWS\System32\HsInfo.dat
[2009/08/20 19:13:29 | 00,000,000 | ---D | C] -- C:\Program Files\alaplaya
[2009/08/19 14:26:36 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/08/19 13:42:43 | 00,022,130 | ---- | C] () -- C:\WINDOWS\System32\wbers.dat.dmp
[2009/08/19 09:24:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\Gunz
[2009/08/19 09:19:04 | 00,217,088 | ---- | C] (<YNK Interactive>) -- C:\WINDOWS\System32\uc_rohan_launching.dll
[2009/08/19 09:19:04 | 00,064,000 | ---- | C] (<NHN USA Inc>.) -- C:\WINDOWS\System32\uc_sfighters_launching.dll
[2009/08/19 09:19:04 | 00,061,440 | ---- | C] (<NHN USA Inc>.) -- C:\WINDOWS\System32\uc_atlantica_launching.dll
[2009/08/19 09:19:04 | 00,053,248 | ---- | C] (<NHN USA Inc>.) -- C:\WINDOWS\System32\uc_luminary_launching.dll
[2009/08/19 09:18:59 | 00,000,000 | ---D | C] -- C:\Program Files\ijji
[2009/08/19 09:17:50 | 00,087,472 | ---- | C] (<NHN USA Inc>.) -- C:\WINDOWS\System32\ijjiChannelingPlugin.dll
[2009/08/19 08:56:54 | 01,184,240 | ---- | C] (IObit ) -- C:\Documents and Settings\user\Desktop\gamebooster.exe
[2009/08/19 08:47:53 | 00,062,396 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Loltastic.rar
[2009/08/18 22:20:41 | 08,256,229 | ---- | C] () -- C:\Documents and Settings\user\Desktop\My Girl Got A Girlfriend - Tpain ft Fabolous.mp3
[2009/08/18 18:23:58 | 08,466,644 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Nas - I Know I Can [Lyrics].mp3
[2009/08/18 18:12:50 | 07,953,617 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Me & The Biz - Masta Ace.mp3
[2009/08/18 16:14:22 | 11,131,614 | ---- | C] () -- C:\Documents and Settings\user\Desktop\2Pac- They Don't Give A F__k 'bout Us.mp3
[2009/08/18 08:31:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2009/08/18 08:31:07 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/18 08:31:05 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/18 08:31:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/18 08:31:03 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/18 08:31:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti--Malware
[2009/08/18 08:23:34 | 03,942,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam--setup.exe
[2009/08/18 08:06:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dllcache\cache
[2009/08/18 07:56:29 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/08/18 07:56:25 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/08/18 07:56:23 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/08/18 07:52:05 | 00,229,376 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/08/18 07:52:05 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/08/18 07:52:05 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/08/18 07:52:05 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/08/18 07:52:05 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/08/18 07:52:05 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/08/18 07:52:05 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/08/18 07:52:05 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/08/18 07:51:55 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/08/18 07:51:38 | 03,182,166 | R--- | C] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/08/18 07:29:19 | 00,000,692 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to SysRestorePoint.lnk
[2009/08/18 07:29:13 | 00,000,626 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC.lnk
[2009/08/18 07:29:04 | 00,000,650 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Shortcut to RtRpeal.lnk
[2009/08/17 16:18:54 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:12:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/17 16:12:11 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 16:12:11 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/17 14:36:37 | 00,001,784 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/17 14:35:43 | 00,000,000 | ---D | C] -- C:\ijji
[2009/08/17 14:34:48 | 00,158,952 | ---- | C] (NHN Corporation) -- C:\WINDOWS\System32\PubPlugin.dll
[2009/08/17 14:34:48 | 00,058,800 | ---- | C] (NHN USA Corp.) -- C:\WINDOWS\System32\ijjiPlugin2.dll
[2009/08/17 14:34:48 | 00,000,000 | ---D | C] -- C:\Temp
[2009/08/17 14:34:47 | 00,710,064 | ---- | C] (NHN USA) -- C:\WINDOWS\System32\ijjiSetup.exe
[2009/08/17 14:34:47 | 00,058,800 | ---- | C] (NHN USA Inc.) -- C:\WINDOWS\System32\ijjiProcessRestarter.exe
[2009/08/17 14:34:47 | 00,000,000 | ---D | C] -- C:\Program Files\NHN USA
[2009/08/13 17:35:42 | 07,891,405 | ---- | C] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:30:38 | 08,974,286 | ---- | C] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 15:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\My Received Files
[2009/08/13 14:23:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\My Documents\GTA San Andreas User Files
[2009/08/13 11:42:48 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files - Modified Within 14 Days ==========

[2009/08/23 12:00:04 | 00,000,484 | ---- | M] () -- C:\WINDOWS\tasks\1-Click Maintenance.job
[2009/08/23 11:51:04 | 00,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/08/23 11:47:23 | 00,001,410 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Global RBF.lnk
[2009/08/23 11:39:13 | 19,466,94019 | ---- | M] () -- C:\Documents and Settings\user\Desktop\RohanBloodFeud_Global (1).exe
[2009/08/23 10:59:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/23 10:57:43 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/08/23 10:49:35 | 03,182,166 | R--- | M] () -- C:\Documents and Settings\user\Desktop\Combo-Fix.exe
[2009/08/23 10:47:28 | 00,020,853 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/08/23 09:56:56 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/23 09:56:18 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/23 03:09:13 | 00,229,376 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/08/22 22:35:28 | 03,738,872 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2009/08/22 14:00:00 | 06,605,024 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Paralyzer [With Lyrics] - Finger Eleven.mp3
[2009/08/21 23:00:32 | 07,495,903 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Fort Minor - Where'd You Go w_ lyrics.mp3
[2009/08/21 17:07:57 | 00,003,887 | ---- | M] () -- C:\Documents and Settings\user\Desktop\KasperSky.html
[2009/08/21 16:51:00 | 00,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/21 10:07:34 | 81,141,7038 | ---- | M] () -- C:\Documents and Settings\user\Desktop\DANCE_setup.zip
[2009/08/20 20:22:50 | 09,498,857 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Jay Z - Run This Town ft Rihanna & Kanye West HQ.mp3
[2009/08/20 19:23:34 | 00,000,096 | -H-- | M] () -- C:\WINDOWS\System32\HsInfo.dat
[2009/08/20 08:19:23 | 00,001,784 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Gunz.lnk
[2009/08/19 16:18:50 | 00,018,944 | ---- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/19 14:06:51 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/08/19 13:42:53 | 00,022,130 | ---- | M] () -- C:\WINDOWS\System32\wbers.dat.dmp
[2009/08/19 08:57:39 | 01,184,240 | ---- | M] (IObit ) -- C:\Documents and Settings\user\Desktop\gamebooster.exe
[2009/08/19 08:47:53 | 00,062,396 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Loltastic.rar
[2009/08/18 22:21:24 | 08,256,229 | ---- | M] () -- C:\Documents and Settings\user\Desktop\My Girl Got A Girlfriend - Tpain ft Fabolous.mp3
[2009/08/18 18:24:22 | 08,466,644 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Nas - I Know I Can [Lyrics].mp3
[2009/08/18 18:13:15 | 07,953,617 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Me & The Biz - Masta Ace.mp3
[2009/08/18 16:15:15 | 11,131,614 | ---- | M] () -- C:\Documents and Settings\user\Desktop\2Pac- They Don't Give A F__k 'bout Us.mp3
[2009/08/18 10:18:29 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/18 08:31:07 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/18 08:24:50 | 03,942,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\user\Desktop\mbam--setup.exe
[2009/08/18 07:56:29 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/08/18 07:29:19 | 00,000,692 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to SysRestorePoint.lnk
[2009/08/18 07:29:13 | 00,000,626 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to TFC.lnk
[2009/08/18 07:29:04 | 00,000,650 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Shortcut to RtRpeal.lnk
[2009/08/17 16:18:55 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OhTeeEl.exe
[2009/08/17 16:12:11 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\user\Desktop\NTREGOPT.lnk
[2009/08/17 16:12:11 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\user\Desktop\ERUNT.lnk
[2009/08/17 14:40:39 | 00,000,031 | ---- | M] () -- C:\WINDOWS\GunzLauncher.INI
[2009/08/17 07:48:26 | 00,158,952 | ---- | M] (NHN Corporation) -- C:\WINDOWS\System32\PubPlugin.dll
[2009/08/13 17:36:07 | 07,891,405 | ---- | M] () -- C:\Documents and Settings\user\Desktop\2pac - Gangsta Party.mp3
[2009/08/13 17:31:06 | 08,974,286 | ---- | M] () -- C:\Documents and Settings\user\Desktop\snoop - gin and juice.mp3
[2009/08/13 11:42:48 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/08/13 10:52:13 | 00,002,277 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Google Chrome.lnk

========== LOP Check ==========

[2009/08/18 08:31:04 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/06/24 13:24:24 | 00,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
[2008/09/13 15:10:24 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{F481FC18-57D5-4479-B2FB-083BFF223F8F}
[2009/07/04 09:19:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/03/29 20:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMV Converter Studio
[2009/05/10 18:38:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU
[2009/07/10 19:42:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DFX
[2009/07/30 17:50:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2009/05/22 18:01:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2009/08/18 07:28:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/27 13:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trymedia
[2009/06/24 13:25:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TuneUp Software
[2009/08/18 08:31:09 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\user\Application Data
[2009/07/04 09:25:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\acccore
[2009/05/10 18:38:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\AVS4YOU
[2009/05/06 23:18:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Axara
[2009/06/23 16:35:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Bioshock
[2009/02/10 19:15:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\EPSON
[2009/01/28 18:24:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\fizzy
[2009/05/11 17:22:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\FMZilla
[2009/07/07 08:50:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GetRightToGo
[2009/07/05 08:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Graboid Inc
[2009/05/10 18:29:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\GrabPro
[2008/09/13 15:09:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\IGN_DLM
[2009/08/19 12:02:24 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\user\Application Data\ijjigame
[2008/08/12 20:18:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\ImTOO Software Studio
[2009/04/23 18:47:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\LimeWire
[2009/02/17 07:41:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Nexon
[2008/08/13 08:48:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\NPLUTO Corporation
[2009/05/10 18:37:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Orbit
[2009/06/17 09:42:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Sahmon Games
[2009/03/24 19:53:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2009/06/24 13:25:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TuneUp Software
[2009/04/29 21:29:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Ventrilo
[2009/08/23 12:00:04 | 00,000,484 | ---- | M] () -- C:\WINDOWS\Tasks\1-Click Maintenance.job
[2004/08/04 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/21 16:51:00 | 00,000,922 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003Core.job
[2009/08/23 11:51:04 | 00,000,974 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1770027372-725345543-1003UA.job
[2009/06/24 10:21:49 | 00,000,338 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/06/24 10:21:48 | 00,000,330 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/08/23 10:59:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90EF0C9C
< End of report >











KasperSky Results: KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 19:03:31
Records in database: 2672258
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Objects scanned 55965
Threats found 2
Infected objects found 5
Suspicious objects found 0
Scan duration 02:15:31

File name Threat Threats count


C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULixxerxrsmntalqysooylvfvbibiciwso.dll.vir

Infected: Packed.Win32.Tdss.w



C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULpuxnopponmbojivbuaofgqpmyicvhpyb.dll.vir
Infected: Packed.Win32.Tdss.w


C:\System Volume Information\_restore{76532ED2-A5F8-4ED6-AED9-BF80D1EEDDF0}\RP197\A0093698.exe

Infected: Trojan.Win32.TDSS.aiyc


C:\System Volume Information\_restore{76532ED2-A5F8-4ED6-AED9-BF80D1EEDDF0}\RP199\A0103837.dll

Infected: Packed.Win32.Tdss.w



C:\System Volume Information\_restore{76532ED2-A5F8-4ED6-AED9-BF80D1EEDDF0}\RP199\A0103838.dll


Infected: Packed.Win32.Tdss.w




























P.S. How long does it take you to read these incredibly long logs? Sounds painful.

Attached File(s)


#9 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 24 August 2009 - 06:04 AM

Hi ADLoc,


Quote

P.S. How long does it take you to read these incredibly long logs? Sounds painful.

It really takes time to carefully research the lines in the log, the time depends on how nasty the infections are.
If you want to learn how we do it you may consider applying at GeekU :) The teachers are Great! and regarded as
some of the best in the Malware Removal field.


I see that there are some more that we need to deal with. Please follow.the instructions below:


1. Run OTL Fix
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
C:\WINDOWS\System32\wbers.dat.dmp
C:\WINDOWS\imsins.BAK

:Commands
[purity]
[emptytemp]
[Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.




2. Download and Run OTS

To ensure that I get all the information, this log will need to be attached (instructions at the end). If it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - File Associations

    • File - Lop Check

    • File - Purity Scan

    • Evnt - EvtViewer (last 10)

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.




3. Post CFScript log

Did you do instruction no.1 of post 5? If yes, please post the log it created.

I need the following logs in your next reply:


Fresh OTL log
OTS scan log
CFscriptfix log


Summer :)

#10 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 24 August 2009 - 09:25 AM

Oh im sorry I thought I had posted it. Also I think theres a problem with the OTL? When I did what you said, i went down stairs and when I came back up my screen was blank, explorer.exe I assume was killed as a process and the screen was just blank with nothing there. I restarted my machine. Was the blank screen normal?

I also found some files when i restarted my machine

Attached thumbnail(s)

  • Attached Image: untitled.JPG

Attached File(s)


#11 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 25 August 2009 - 07:20 AM

Hi ADLoc,

Quote

Also I think theres a problem with the OTL? When I did what you said, i went down stairs and when I came back up my screen was blank, explorer.exe I assume was killed as a process and the screen was just blank with nothing there. I restarted my machine. Was the blank screen normal?

I also found some files when i restarted my machine
Those are all hidden files that OTL will reveal when a fix is run :)

Please continue Instructions 1 & 2 of my previous post. You need to run OTL.exe again and make a quick scan. Then Download and run OTS, please see detailed instructions above. ( Post 9: Instructions 1 & 2 )

For your reply: Please post OTL Quick scan Log and OTS scan log.


Summer :)

#12 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 25 August 2009 - 03:35 PM

Yes I understand what I need to do but the main concern was that "and the screen was just blank with nothing there. I restarted my machine. Was the blank screen normal?"

Because I ran the OTL like you said again today. It said "KILLING ALL PROCESS" and i had my virus scanner disabled. And it killed my virus scanner McAfee. A few minutes later while the screen was blank and nothing was happening my McAfee relaunched itself and I waited about 20 minutes and still nothing happened. So im kind of wondering why OTL isnt working as it should..or is this blank screen normal, even though nothing seems to be happening?

#13 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 26 August 2009 - 11:13 AM


Quote

Was the blank screen normal?

It's Not normal if your computer hangs whenever you run it and you said you waited for about 20 minutes but nothing happened normally it takes awhile for OTL to do its job and it tells the user what it's doing. The blank screen you experienced means something is causing the scan not to be executed. Have you tried running OTS? if not please do so. Then, we're going to have a deeper check of your system.

Step 1. Download and Run OTS

To ensure that I get all the information, this log will need to be attached (instructions at the end). If it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - File Associations

    • File - Lop Check

    • File - Purity Scan

    • Evnt - EvtViewer (last 10)

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.



Step 2. Download and Run AVZ

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.


When restarted

  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.


Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


*Note: If your computer will have have Blank Screen after running OTS just continue doing step 2.

For your Reply: Please post OTS log and attached virusinfo_syscure.zip and virusinfo_syscheck.zip


Summer :)

#14 ADLoc

  • Group: Member
  • Posts: 34
  • Joined: 17-August 09

Posted 27 August 2009 - 04:40 PM

I dont know what happend, but as I started running OTS. I got this:

Afterwards, on the bottom of OTS you can see what it is scanning, I came back upstairs after eating, which was 20 or 25 minutes. And it still said the same exact thing. I restarted the scan and got the same error again. Do you know what I should do now?


Thank you for your time.

Attached thumbnail(s)

  • Attached Image: untitled.JPG

#15 Carina

  • Group: Member
  • Posts: 623
  • Joined: 19-November 08

Posted 28 August 2009 - 07:21 AM

Hi ADLoc,

This is the same as the last post but please don't check Reg - File Associations

Step 1. Download and Run OTS

To ensure that I get all the information, this log will need to be attached (instructions at the end). If it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:

    • Reg - File Associations <<< Don't include this

    • File - Lop Check

    • File - Purity Scan

    • Evnt - EvtViewer (last 10)

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.



Step 2. Download and Run AVZ

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: Posted Image
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.


When restarted

  • Start AVZ.

  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.


Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post


*Note: If your computer will have Blank Screen when running OTS just continue doing step 2.

For your Reply: Please post OTS log and attached virusinfo_syscure.zip and virusinfo_syscheck.zip


By the way how is computer running? Do you still get redirected to another website when you search on FF or IE?

Summer :)

Share this topic:


  • 2 Pages +
  • 1
  • 2