Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pops up - can't download any programs from cleaning guide. [Solved

Started by fern_06 , Dec 09 2009 12:53 AM

  • This topic is locked This topic is locked

#1
fern_06
Posted 09 December 2009 - 12:53 AM

fern_06

    Member

  • Member
  • PipPip
  • 43 posts
Hi,

I keep getting random pop-ups on my computer. I am trying to use the malware and spyware cleaning guide you guys have posted but everytime I try and download any of the programs from there (ERUNT, Systemrestore, TFC), I am unable to do so - either explorer freezes or it automatically closes all the windows. Please let me know what I can do.

Thanks
  • 0

Advertisements

#2
Rorschach112
Posted 09 December 2009 - 08:44 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
rename the tools to svchost.com

do they run then ?

if not do this

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  • 0

#3
fern_06
Posted 09 December 2009 - 08:32 PM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Hi,

I wasn't able to do either so I used another computer to save the programs. I ran TFC and then when the computer rebooted, I got a big screen saying privacy center which I was only able to close using ctrl alt del but even when I close it, my desktop is completely blank and there's no start menu or anything. Please let me know what to do I feel I have lost everything.
  • 0

#4
Rorschach112
Posted 10 December 2009 - 06:11 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
well can you use the other machine to get the programs on the infected PC to run ?
  • 0

#5
fern_06
Posted 10 December 2009 - 08:28 AM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I can't get past the privacy center virus window when my computer restarts each time so I can't do anything until I get rid of that first. I don't have a desktop or any icons - just the privacy center window.
  • 0

#6
fern_06
Posted 10 December 2009 - 08:40 AM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
This is what I am referring to:
Should I try and go through these steps to try and remove it first otherwise I can't do anything else?

Thanks
  • 0

#7
Rorschach112
Posted 10 December 2009 - 08:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
no don't use that, not safe

Press Ctrl+Alt+Del, it will bring up a task manager, click the Processes tab and list what is there for me
  • 0

#8
fern_06
Posted 10 December 2009 - 08:58 AM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK I will do that later today when I am infront of the computer and let you know - last time I tried there was a ton of stuff.
  • 0

#9
Rorschach112
Posted 10 December 2009 - 09:03 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
just write down any that are not familiar to you then
  • 0

#10
fern_06
Posted 10 December 2009 - 06:59 PM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Here are pretty much all the processes as I don't recognize any of them. Thanks. Please let me know what to do next.

MRT.exe
alg.exe
update.exe
waaudt.exe
nmsrvc.exe
jqs.exe
mrtsrub.exe
windows-kb89083
DefWatch.exe
ccSetMgr.exe
svchost.exe
mDNSResponder
RegSrvc.exe
S24EvMon.exe
ati2evxx.exe
ibmpmsvc.exe
lsass.exe
services.exe
esrss.exe
smss.exe
QCONSVC.exe
MOM.exe
Kwanzy131.exe
pc.exe
spoolsv.exe
system
SystemIdle Process
winlogon.exe
taskmgr.exe
  • 0

Advertisements

#11
Rorschach112
Posted 11 December 2009 - 06:16 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Select this process and kill it in task manager

pc.exe


Then try run the tools again
  • 0

#12
fern_06
Posted 11 December 2009 - 06:38 PM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I did end the process - the privacy center window went away but my desktop is still blank so I still can't access anything.
  • 0

#13
fern_06
Posted 11 December 2009 - 08:24 PM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I was able to get to my desktop and run the programs. When I ran TFC and rebooted, the privacy center screen appeared again and I ended the pc.exe process again. I wasn't able to run system restore point as i got an error message saying SysRestorePoint.exe has encountered a problem and needs to close. After running everything else, I still have a privacy-components icon on my desktop and don't know what that is. Here are my OTL, MBAM and RootRepeal logs:

OTL.exe:

OTL logfile created on: 12/11/2009 9:10:06 PM - Run 1
OTL by OldTimer - Version 3.1.11.9 Folder = F:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.92 Mb Total Physical Memory | 646.63 Mb Available Physical Memory | 63.21% Memory free
2.40 Gb Paging File | 2.08 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.14 Gb Total Space | 0.84 Gb Free Space | 5.56% Space Free | Partition Type: NTFS
Drive D: | 22.11 Gb Total Space | 10.82 Gb Free Space | 48.92% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 963.70 Mb Total Space | 825.03 Mb Free Space | 85.61% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FCH543-T41
Current User Name: fch543
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/09 09:44:52 | 00,536,576 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2009/06/05 12:39:22 | 00,292,136 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/26 16:18:30 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2009/01/13 21:37:00 | 01,830,128 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/01/09 18:01:47 | 00,382,384 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/01/09 18:01:47 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/01/09 18:01:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/14 08:29:00 | 00,467,240 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Pure Networks\Network Magic\nmapp.exe
PRC - [2008/12/12 17:06:40 | 00,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 17:06:40 | 00,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/08/30 16:43:18 | 00,103,664 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PRC - [2007/06/13 05:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/12/08 18:35:54 | 00,094,208 | ---- | M] (SealedMedia) -- C:\Program Files\SealedMedia\sealmon.exe
PRC - [2004/05/19 03:21:00 | 00,073,728 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2004/05/13 21:36:34 | 00,397,312 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2004/04/08 18:12:06 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/04/08 18:11:26 | 00,512,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2004/04/07 06:21:50 | 00,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe
PRC - [2004/04/07 06:20:40 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe
PRC - [2004/03/26 18:16:30 | 00,102,400 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\TpShocks.exe
PRC - [2004/03/12 15:18:32 | 00,124,128 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2004/03/10 10:10:44 | 00,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2004/03/10 10:10:40 | 00,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/29 16:44:46 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/02/26 01:26:00 | 00,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2003/06/27 08:53:32 | 00,088,363 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2002/10/08 22:28:42 | 00,040,960 | ---- | M] () -- C:\WINDOWS\system32\TpScrLk.exe
PRC - [2002/01/10 15:01:34 | 00,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe


========== Modules (SafeList) ==========

MOD - [2009/12/09 09:44:52 | 00,536,576 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
MOD - [2006/08/25 10:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/04/08 18:11:54 | 00,065,536 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/06/05 12:39:14 | 00,541,992 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/03/23 22:33:00 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/18 01:04:42 | 01,685,024 | ---- | M] (NanJing Nagasoft Co, LTD.) -- C:\WINDOWS\system32\Nagasoft\vjocx.dll -- (vvdsvc)
SRV - [2009/01/09 18:01:46 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/12/12 17:06:40 | 00,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2004/08/04 00:56:44 | 00,027,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2004/05/26 10:33:18 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2004/05/19 03:21:00 | 00,073,728 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2004/05/13 21:36:34 | 00,397,312 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2004/04/07 06:21:50 | 00,303,171 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/04/07 06:20:40 | 00,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)
SRV - [2004/03/12 15:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2004/03/11 14:58:32 | 00,193,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/02/29 16:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/02/26 01:26:00 | 00,057,344 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E2 DD E0 01 F2 92 7C 42 9F FC E8 D7 65 12 81 CA [binary data]
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students, = http://www.kellogg.n...edu/students/%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students, = +
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students,# = %23
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students,% = %25
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students,& = %26
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\students,+ = %2B
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo....r=ytff-msgr&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..keyword.URL: "http://search.yahoo....r=ytff-msgr&p="

FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/09 21:06:53 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/11 16:20:12 | 00,000,000 | ---D | M]

[2009/06/21 13:09:38 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/06/21 13:09:38 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\[email protected]
[2009/10/10 16:07:57 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\extensions
[2008/03/08 18:26:43 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/09 00:14:58 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\extensions\{8a8f8ea7-b43a-447a-82a0-90098d3703eb}
[2009/10/10 16:07:54 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\extensions\[email protected]
[2009/10/10 16:07:57 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\extensions\staged-xpis
[2009/12/06 19:18:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/12/06 19:18:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{4E551550-1870-479D-BF66-DF77900E100E}
[2009/08/12 08:45:02 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2009/08/12 08:44:29 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/08/12 08:44:30 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/08/12 08:44:30 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/08/12 08:44:33 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/12/09 21:06:49 | 00,122,880 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\wsff.dll
[2009/08/12 08:44:33 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! ¤u¨ă¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! ¤u¨ă¦C) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe (SealedMedia)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe ()
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (IBM Corp.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [RealPlayer] C:\Program Files\Real\RealPlayer\realplay.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuNetworkPlaces = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} https://lnmail4.disc...om/iNotes6W.cab (iNotes6 Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://go.divx.com/p...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...AB?38132.640625 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://portico.disc...perSetupSP1.cab (JuniperSetupControlXP Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/...SetupClient.cab (JuniperSetupClientControl Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.29.103.15 24.29.103.16
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O24 - Desktop Components:0 () - http://us.f3.yahoofs...hJL4PDBIyPUMhcZ
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/23 17:12:12 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/05/23 17:11:40 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53765169410473984)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/09 21:08:17 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\PC
[2009/12/06 18:50:09 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2009/12/06 18:48:51 | 00,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\WinRAR
[2009/12/06 18:48:45 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\SysWoW32
[2009/12/06 18:48:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2009/12/06 18:48:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/12/06 18:47:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\503929488
[52 D:\Documents and Settings\Administrator\Desktop\*.tmp files -> D:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/11 20:47:55 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/11 20:47:52 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/12/11 20:47:16 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/11 20:47:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/11 20:47:05 | 10,726,80960 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/11 20:46:10 | 04,980,736 | -H-- | M] () -- D:\Documents and Settings\Administrator\NTUSER.DAT
[2009/12/11 20:45:57 | 00,000,278 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2009/12/11 19:49:35 | 00,000,533 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2009/12/11 19:49:35 | 00,000,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2009/12/11 19:44:55 | 00,005,609 | -HS- | M] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712C.manifest
[2009/12/11 19:44:55 | 00,002,097 | -HS- | M] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712P.manifest
[2009/12/11 19:44:54 | 00,000,649 | -HS- | M] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712O.manifest
[2009/12/11 19:44:54 | 00,000,011 | -HS- | M] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712S.manifest
[2009/12/10 19:56:46 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/09 21:53:22 | 00,000,181 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2009/12/09 21:09:30 | 00,000,056 | ---- | M] () -- C:\xcrashdump.dat
[2009/12/09 21:08:20 | 00,000,930 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\Privacy-Components.lnk
[2009/12/09 21:07:52 | 00,000,817 | ---- | M] () -- C:\WINDOWS\System32\742079991
[2009/12/09 21:06:25 | 00,001,250 | -HS- | M] () -- C:\WINDOWS\System32\2087415207
[2009/12/09 01:12:39 | 04,842,520 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/12/06 19:09:28 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\r2Bsq6W.vbs
[2009/12/06 19:08:25 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\c3IWK.vbs
[2009/12/06 19:03:27 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\IMDls.vbs
[2009/12/06 18:56:04 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/12/06 18:56:04 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/12/06 18:51:50 | 00,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/06 18:51:50 | 00,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/06 18:51:49 | 00,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/06 18:50:17 | 00,000,613 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/06 18:49:21 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/12/06 18:48:25 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/12/06 18:47:17 | 00,203,776 | -HS- | M] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/06 18:43:59 | 00,123,392 | ---- | M] () -- C:\WINDOWS\System32\infocardapi32.dll
[2009/12/06 18:43:25 | 00,123,392 | ---- | M] () -- C:\WINDOWS\System32\dxva232.dll
[2009/12/06 18:42:53 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\Dxfk7.vbs
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[52 D:\Documents and Settings\Administrator\Desktop\*.tmp files -> D:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/09 21:09:30 | 00,000,056 | ---- | C] () -- C:\xcrashdump.dat
[2009/12/09 21:08:20 | 00,000,930 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Privacy-Components.lnk
[2009/12/06 19:09:28 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\r2Bsq6W.vbs
[2009/12/06 19:08:25 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\c3IWK.vbs
[2009/12/06 19:03:27 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\IMDls.vbs
[2009/12/06 18:50:31 | 00,764,868 | ---- | C] () -- C:\WINDOWS\System32\dllcache\apph_sp.sdb
[2009/12/06 18:50:31 | 00,217,118 | ---- | C] () -- C:\WINDOWS\System32\dllcache\apphelp.sdb
[2009/12/06 18:49:23 | 00,001,250 | -HS- | C] () -- C:\WINDOWS\System32\2087415207
[2009/12/06 18:49:22 | 00,000,817 | ---- | C] () -- C:\WINDOWS\System32\742079991
[2009/12/06 18:48:25 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/12/06 18:47:17 | 00,203,776 | -HS- | C] () -- C:\WINDOWS\System32\unrar.exe
[2009/12/06 18:46:36 | 00,005,609 | -HS- | C] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712C.manifest
[2009/12/06 18:46:36 | 00,002,097 | -HS- | C] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712P.manifest
[2009/12/06 18:46:36 | 00,000,649 | -HS- | C] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712O.manifest
[2009/12/06 18:46:36 | 00,000,011 | -HS- | C] () -- D:\Documents and Settings\Administrator\Application Data\0200000085c07932712S.manifest
[2009/12/06 18:43:59 | 00,123,392 | ---- | C] () -- C:\WINDOWS\System32\infocardapi32.dll
[2009/12/06 18:43:25 | 00,123,392 | ---- | C] () -- C:\WINDOWS\System32\dxva232.dll
[2009/12/06 18:42:53 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\Dxfk7.vbs
[2009/10/03 09:17:41 | 08,673,792 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\atscie.msi
[2008/03/04 17:52:34 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2007/10/31 08:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/05/17 12:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2006/12/16 13:26:56 | 00,001,458 | ---- | C] () -- C:\Program Files\DOWNLOAD_INSTALL.LOG
[2006/09/16 12:16:28 | 00,004,217 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/02/27 16:51:53 | 00,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2006/02/27 16:51:53 | 00,000,339 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2006/02/27 01:46:41 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/02/27 01:46:41 | 00,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/01/25 19:16:20 | 00,017,016 | ---- | C] () -- C:\WINDOWS\System32\SS32DVR.DLL
[2005/09/14 11:55:01 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2005/05/11 13:10:08 | 00,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2005/04/04 12:01:13 | 00,000,181 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/04/01 14:09:08 | 00,003,852 | ---- | C] () -- C:\WINDOWS\avvrh.dll
[2004/08/25 19:26:18 | 00,004,608 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/07 10:22:05 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/07/06 13:41:21 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2004/06/09 14:56:53 | 00,000,852 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/06/03 14:13:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/05/28 12:15:46 | 00,002,295 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2004/05/26 17:07:40 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/05/26 17:07:40 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/05/26 17:07:40 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/05/26 17:07:40 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/05/26 17:07:39 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/05/26 17:07:39 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/05/26 15:53:38 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/05/26 15:53:23 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/05/26 15:53:23 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/05/26 15:41:03 | 00,008,831 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2004/05/26 15:40:49 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2004/05/26 15:40:24 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\Sensor.dll
[2004/05/26 15:39:23 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[2004/05/23 18:53:39 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2004/05/23 18:51:18 | 00,122,880 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2004/05/23 18:51:18 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\tpinspm.dll
[2004/05/23 17:12:25 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/07 06:21:16 | 00,212,992 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2004/03/18 12:55:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/10/08 13:34:26 | 00,121,440 | ---- | C] () -- C:\WINDOWS\System32\MSDRMCtrl.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2006/02/07 01:05:09 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Aim
[2006/07/22 20:27:24 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\BitTorrent
[2005/05/12 01:45:50 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\IBM
[2004/07/29 20:46:10 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\InterVideo
[2009/10/26 20:55:42 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Juniper Networks
[2009/12/06 19:14:24 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\LimeWire
[2009/12/11 20:00:55 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\PC
[2004/06/01 12:31:25 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Qualcomm
[2007/07/25 21:46:21 | 00,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Viewpoint
[2005/03/31 11:32:06 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\AdDestroyer
[2004/06/09 16:40:09 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\IBM
[2009/07/31 08:02:42 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Juniper Networks
[2005/02/14 02:09:10 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\MSN Messenger 6.2.0205
[2005/03/31 16:27:00 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\VBouncer
[2009/01/09 18:07:32 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Viewpoint
[2004/09/11 17:14:03 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Visual Networks
[2009/06/21 12:56:08 | 00,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2004/05/26 15:40:32 | 00,000,314 | ---- | M] () -- C:\WINDOWS\Tasks\BMMTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/05/12 01:48:03 | 21,901,656 | ---- | M] (Apple Computer, Inc. ) -- C:\iTunesSetup.exe
[2001/05/24 12:59:30 | 00,162,304 | ---- | M] () -- C:\UNWISE.EXE


< MD5 for: AGP440.SYS >
[2008/04/13 13:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys
[2001/08/17 08:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/28 20:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 13:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 00:56:44 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2002/08/29 07:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 07:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 00:56:46 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 00:56:46 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2002/08/29 07:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

Extras.Txt:

OTL Extras logfile created on: 12/11/2009 9:10:06 PM - Run 1
OTL by OldTimer - Version 3.1.11.9 Folder = F:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.92 Mb Total Physical Memory | 646.63 Mb Available Physical Memory | 63.21% Memory free
2.40 Gb Paging File | 2.08 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 15.14 Gb Total Space | 0.84 Gb Free Space | 5.56% Space Free | Partition Type: NTFS
Drive D: | 22.11 Gb Total Space | 10.82 Gb Free Space | 48.92% Space Free | Partition Type: NTFS
Drive E: | 702.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 963.70 Mb Total Space | 825.03 Mb Free Space | 85.61% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FCH543-T41
Current User Name: fch543
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"7000:UDP" = 7000:UDP:129.105.223.0/255.255.255.128:enabled:NUTV - Channel Guide
"7070:UDP" = 7070:UDP:129.105.223.0/255.255.255.128:Enabled:NUTV - Video Streams
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:disabled:@xpsp2res.dll,-22009
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver -- File not found
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Disabled:SopCast Main Application -- File not found
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"D:\Documents and Settings\Administrator\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe" = D:\Documents and Settings\Administrator\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe:*:Enabled:Juniper Terminal Services Client -- (Juniper Networks)
"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe" = C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Disabled:Secure Application Manager Proxy -- (Juniper Networks)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)
"C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe" = C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Platform Service -- (Cisco Systems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CA14F11-6F47-4613-8E40-6AC088E464A0}" = Cisco Network Magic
"{1F0BD960-6525-4FEE-B577-2473F77F1277}" = Windows Messenger 5.0
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B1A4366-8DFA-4582-91F6-27F7A4714FCC}" = Pure Networks Platform
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45534579-B75B-4A42-953B-2EF8E1DEB4F3}" = Microsoft XML Parser
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{67D7BC74-E8DF-4811-9B41-6023A8C9BB3F}" = Intel® Sebring API
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{848AC794-8B81-440A-81AE-6474337DB527}" = Symantec AntiVirus
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90F80409-6000-11D3-8CFE-0150048383C9}" = Remove Hidden Data Tool
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B11BF9FF-7A12-42D5-BE71-9C3C05833D89}" = SealedMedia Unsealer 4.1.9.1
"{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}" = Access IBM
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}" = WebEx Support Manager for Internet Explorer
"{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Microsoft Outlook Personal Folders Backup
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CA254A9C-2A33-4D35-85A2-FEE6FFFF558C}" = Eudora
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management client
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Access IBM Tools" = Access IBM Tools
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems AC'97 Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ERUNT_is1" = ERUNT 1.1j
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"IPIX ActiveX Viewer" = iPIX ActiveX Viewer
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"LimeWire" = LimeWire 5.1.3
"LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Neoteris_Secure_Application_Manager" = Juniper Networks Secure Application Manager
"Network MagicUninstall" = Network Magic
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Power Features" = IBM ThinkPad Battery MaxiMiser and Power Management Features
"Power Management Driver" = IBM ThinkPad Power Management Driver
"Presentation Director" = IBM ThinkPad Presentation Director
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"ThinkPad Configuration" = IBM ThinkPad Configuration
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = ThinkPad Software Installer
"TPKBDLED" = Scroll Lock Indicator Utility
"TVAnts ActiveX Control 1.0" = TVAnts ActiveX Control 1.0
"Tweak UI 2.10" = Tweak UI
"VJOcx2.0" = VJOcx2.0
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! ¤u¨ă¦C
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Digital Editions" = Adobe Digital Editions
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Juniper_Term_Services" = Juniper Terminal Services Client
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/6/2009 8:08:29 PM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application update_for_media_player_(kb972036)[1].exe, version
0.0.0.0, faulting module update_for_media_player_(kb972036)[1].exe, version 0.0.0.0,
fault address 0x00001b30.

Error - 12/6/2009 8:09:31 PM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application update_for_media_player_(kb972036)[1].exe, version
0.0.0.0, faulting module update_for_media_player_(kb972036)[1].exe, version 0.0.0.0,
fault address 0x00001b30.

Error - 12/9/2009 2:16:25 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module shell32.dll, version 6.0.2900.3402, fault address 0x0002cb9e.

Error - 12/9/2009 2:28:38 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/9/2009 2:28:53 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/9/2009 2:29:32 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/9/2009 2:45:34 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/9/2009 2:46:17 AM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/11/2009 8:47:03 PM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

Error - 12/11/2009 8:47:20 PM | Computer Name = FCH543-T41 | Source = Application Error | ID = 1000
Description = Faulting application sysrestorepoint.exe, version 1.3.0.0, faulting
module kernel32.dll, version 5.1.2600.3541, fault address 0x00012a6b.

[ System Events ]
Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Kwanzy Service service terminated unexpectedly. It has done this
1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Symantec Settings Manager service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The RegSrvc service terminated unexpectedly. It has done this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Spectrum24 Event Monitor service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The QCONSVC service terminated unexpectedly. It has done this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Pure Networks Platform Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/11/2009 8:42:18 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 12/11/2009 9:00:54 PM | Computer Name = FCH543-T41 | Source = Service Control Manager | ID = 7034
Description = The Kwanzy Service service terminated unexpectedly. It has done this
1 time(s).

Error - 12/11/2009 9:47:23 PM | Computer Name = FCH543-T41 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SAVRT' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.


< End of report >


RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 21:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9E90000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DAC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8BF9000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0xe3ff7240

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xa9fc6f20

==EOF==


MBAM:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/11/2009 8:00:55 PM
mbam-log-2009-12-11 (20-00-55).txt

Scan type: Quick Scan
Objects scanned: 110994
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 5
Files Infected: 30

Memory Processes Infected:
D:\Documents and Settings\Administrator\Application Data\WhereSphere\wheresphere.exe (Adware.WhereSphere) -> Unloaded process successfully.
C:\Program Files\Kwanzy\kwanzy.exe (Adware.Kwanzy) -> Unloaded process successfully.
D:\Documents and Settings\All Users\Application Data\Kwanzy\kwanzy131.exe (Adware.Kwanzy) -> Unloaded process successfully.
D:\Documents and Settings\Administrator\Application Data\PC\agent.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Kwanzy\kwanzy.dll (Adware.Kwanzy) -> Delete on reboot.
C:\WINDOWS\system32\__c00FB039.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\gpkcsp32.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wheresphere (Adware.WhereSphere) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kwanzy Service (Adware.Kwanzy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00fb039 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ac3b3df7712 (Trojan.Tracur) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\privacy-components (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wheresphere (Adware.WhereSphere) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agent.exe (Trojan.FraudPack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\gpkcsp32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\gpkcsp32.dll -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (D:\Documents and Settings\Administrator\Application Data\PC\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
D:\Documents and Settings\Administrator\Application Data\WhereSphere (Adware.WhereSphere) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Application Data\Kwanzy (Adware.Kwanzy) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images (Rogue.ControlCenter) -> Quarantined and deleted successfully.

Files Infected:
D:\Documents and Settings\Administrator\Application Data\WhereSphere\config.cfg (Adware.WhereSphere) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\WhereSphere\wheresphere.exe (Adware.WhereSphere) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\WhereSphere\WSUninstall.exe (Adware.WhereSphere) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\kwanzy.dll (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\kwanzy.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\Program Files\Kwanzy\uninstall.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Application Data\Kwanzy\kwanzy131.exe (Adware.Kwanzy) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\guide.html (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg1.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg10.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg2.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg3.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg4.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg5.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg6.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg7.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg8.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\faq\images\gimg9.jpg (Rogue.ControlCenter) -> Quarantined and deleted successfully.
C:\Program Files\mozilla firefox\searchPlugins\kwanzy131.xml (Adware.Kwanzy) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00FB039.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dmime32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fde32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\framebuf32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gpkcsp32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\iernonce32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\pc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\agent.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\settings.ini (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Administrator\Application Data\PC\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • 0

#14
Rorschach112
Posted 12 December 2009 - 05:57 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
[2009/12/06 18:47:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\503929488
[2009/12/09 21:07:52 | 00,000,817 | ---- | M] () -- C:\WINDOWS\System32\742079991
[2009/12/09 21:06:25 | 00,001,250 | -HS- | M] () -- C:\WINDOWS\System32\2087415207
[2009/12/06 19:09:28 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\r2Bsq6W.vbs
[2009/12/06 19:08:25 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\c3IWK.vbs
[2009/12/06 19:03:27 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\IMDls.vbs
[2009/12/06 18:43:59 | 00,123,392 | ---- | M] () -- C:\WINDOWS\System32\infocardapi32.dll
[2009/12/06 18:43:25 | 00,123,392 | ---- | M] () -- C:\WINDOWS\System32\dxva232.dll
[2009/12/06 18:42:53 | 00,000,615 | ---- | M] () -- C:\WINDOWS\System32\Dxfk7.vbs
[2009/12/09 21:08:20 | 00,000,930 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Privacy-Components.lnk
[2009/12/06 19:09:28 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\r2Bsq6W.vbs
[2009/12/06 19:08:25 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\c3IWK.vbs
[2009/12/06 19:03:27 | 00,000,615 | ---- | C] () -- C:\WINDOWS\System32\IMDls.vbs



:Services

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\explorer.exe"=-
:Files

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#15
fern_06
Posted 12 December 2009 - 01:25 PM

fern_06

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
When running OTL, there was a message in the middle saying error creating log file!. Also when I rebooted, I got an error saying windows can not find F:\OTL.exe. Make sure you typed the name correctly and then try again. After the computer finished rebooting, I got all these temp files on my desktop which I still have after running combofix. Here is my log:

ComboFix 09-12-11.05 - fch543 12/12/2009 14:12:27.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.632 [GMT -5:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\503929488
c:\windows\system32\c3IWK.vbs
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus\Rapid Antivirus.ini
c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus\spl.ini
c:\windows\system32\Dxfk7.vbs
c:\windows\system32\IMDls.vbs
c:\windows\system32\r2Bsq6W.vbs
c:\windows\system32\unrar.exe
C:\xcrashdump.dat
d:\documents and settings\Administrator\Application Data\0200000085c07932712C.manifest
d:\documents and settings\Administrator\Application Data\0200000085c07932712O.manifest
d:\documents and settings\Administrator\Application Data\0200000085c07932712P.manifest
d:\documents and settings\Administrator\Application Data\0200000085c07932712S.manifest
d:\documents and settings\Administrator\Application Data\PC

.
((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-06 23:50 . 2009-12-06 23:50 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-06 23:48 . 2009-12-09 02:52 -------- d-sh--w- c:\windows\system32\SysWoW32
2009-12-06 23:48 . 2009-12-06 23:49 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-12-06 23:48 . 2009-12-06 23:48 -------- d-----w- c:\windows\system32\LogFiles
2009-12-06 23:43 . 2009-12-06 23:43 123392 ----a-w- c:\windows\system32\infocardapi32.dll
2009-12-06 23:43 . 2009-12-06 23:43 123392 ----a-w- c:\windows\system32\dxva232.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 00:52 . 2009-01-07 03:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 00:49 . 2009-01-07 03:12 -------- d-----w- c:\program files\ERUNT
2009-12-12 00:25 . 2007-08-11 00:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-12-07 00:14 . 2009-06-21 18:09 -------- d-----w- d:\documents and settings\Administrator\Application Data\LimeWire
2009-12-03 21:14 . 2009-01-07 03:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-01-07 03:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:46 . 2004-12-07 22:37 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2005-04-14 19:20 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-05-23 23:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-27 01:55 . 2009-07-31 13:02 -------- d-----w- d:\documents and settings\Administrator\Application Data\Juniper Networks
2009-10-21 06:00 . 2005-04-14 19:20 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00 . 2005-04-14 19:20 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 04:13 . 2004-09-13 17:43 41472 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 14:58 . 2005-04-14 19:20 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-05-23 23:50 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-05-23 23:50 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-05-23 23:50 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-03 14:17 . 2009-10-03 14:17 8673792 ----a-w- d:\documents and settings\All Users\Application Data\atscie.msi
2006-12-16 18:26 . 2006-12-16 18:26 1458 ----a-w- c:\program files\DOWNLOAD_INSTALL.LOG
2009-08-12 13:44 . 2007-09-22 16:36 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-08-12 13:44 . 2007-09-22 16:36 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-08-12 13:44 . 2007-09-22 16:36 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-08-12 13:44 . 2007-09-22 16:36 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-12-10 02:06 . 2009-12-10 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\wsff.dll
2009-08-12 13:44 . 2007-09-22 16:36 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-08-14 1003520]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-08 512000]
"TpShocks"="TpShocks.exe" [2004-03-26 102400]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-03-10 94208]
"TPKBDLED"="c:\windows\System32\TpScrLk.exe" [2002-10-09 40960]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 88363]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2005-12-08 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-12-14 467240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuNetworkPlaces"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-01-14 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-14 02:36 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-05-19 08:21 94208 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Documents and Settings\\Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:UDP"= 7000:UDP:129.105.223.0/255.255.255.128:enabled:NUTV - Channel Guide
"7070:UDP"= 7070:UDP:129.105.223.0/255.255.255.128:Enabled:NUTV - Video Streams
"3389:TCP"= 3389:TCP:*:disabled:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [10/26/2009 8:56 PM 77608]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 55024]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [5/26/2004 3:40 PM 15360]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [5/28/2004 12:15 PM 12288]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer powered by RCN
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0w39mi1n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 14:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-12 14:20:12
ComboFix-quarantined-files.txt 2009-12-12 19:19

Pre-Run: 792,248,320 bytes free
Post-Run: 758,448,128 bytes free

- - End Of File - - 089595FE706799D79CC240E4AEAB49BB
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP