Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Olmarik trojan removal [Solved]


  • This topic is locked This topic is locked

#1
toofeweyes

toofeweyes

    New Member

  • Member
  • Pip
  • 7 posts
First of all let me say that I'm brand new here and in need of help...sounds familiar I bet. I am not a great typist and I speak very little "computereze". That is not any kind of put down to those who speak it very well. I recently put ESOT on my pc and shortly after it spotted Win32/Olmarik trojan on my drive memory and tells me it cannot clean it. I've read some posts on this site that have had the same problem so I am hoping you can help straighten me out! I'm trying to learn more about the tech end of these wonderful machines and am very tired of spending way too much money having a repair shop fix these forever changing glitches.
I also wonder if you would recomend what I need to add to stop getting so many bugs, viruses, infections, trojans, cancers and any other maladies that seem to be everywhere on the net.
Thanks so much.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets see what you have then. If you have any questions just shout :)

Posted Image GMER Rootkit Scanner - Download - Homepage
[*] Download GMER
[*] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.
Posted Image
[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    Posted Image
    Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#3
toofeweyes

toofeweyes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
here's the ark.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 17:33:03
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TONYS0~1.000\LOCALS~1\Temp\ugriykob.sys


---- System - GMER 1.0.15 ----

Code 839F2CD0 ZwEnumerateKey
Code 83C74298 ZwFlushInstructionCache
Code 839F3296 IofCallDriver
Code 83A01136 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37D5 5 Bytes JMP 839F329B
.text ntoskrnl.exe!IofCompleteRequest 804E3C06 5 Bytes JMP 83A0113B
PAGE ntoskrnl.exe!ZwFlushInstructionCache 8056E42A 5 Bytes JMP 83C7429C
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 5 Bytes JMP 839F2CD4

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[324] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3492] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3492] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02C7000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3492] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 02C6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3492] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02C8000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Modules - GMER 1.0.15 ----

Module \systemroot\PRAGMAbymbfgoidi\PRAGMAd.sys (*** hidden *** ) EE344000-EE366000 (139264 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\PRAGMAbymbfgoidi\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAbymbfgoidi <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\PRAGMAsrcr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\pragmaserf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\pragmabbr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\[email protected] \systemroot\PRAGMAbymbfgoidi\PRAGMAc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\PRAGMAsrcr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\pragmaserf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAbymbfgoidi\[email protected] \\?\globalroot\systemroot\system32\pragmabbr.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 893219CF8F71C293134256F48AA7681B992BB025D56DE3E3AF3E81529002343716DE4D876508007F81185D07A24DB74F7798F0C35863D240BA6AFD23
8F8B0F2241077A910869CB7243B6BE6B0F0EEC29D0C4F3A75D53D7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEB
C9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DA6171C11EC38DE3DBA7FD869164D6794841153143313E5D73A415E5E45D8
983A82F5FC239FB978328613DDB80DD6021367E687C09088AA9D0A408912123A33F9359DF9BB68DFD4397D624A122B79377000A5E3CA5BA2B9DA700C1
AAECFBA0F1677AE6DD5028F1DE15B1B95F89EA3C17B7ED8684C68844D84AD87886FF1A669F3B586626D9C5CB6225BB2014AEF55485E0CAD2DA140B371
93F139DED11C2DD4FECFA479C0193F55F628C1E126616DC945BF755DEA1F99860668CCBC182961B6A4992CE7D20F9406606405A27066B313DF29A6B30
F7606415D2890D5C7A6BA49D85B65F46B471C26DF245D3F5124504A63C9DA0636692B2B2042F6F12C55169A92CF3CFC15427B687FF051483578506588
1850B84FD01FA057B9196BD22B308A4B2AC0711F32BA55494887E4CBF125B08CFD684708395BD210842F310ED0AE51820B26559D7D45C5CD9A4D4D09D
4A5CBAFD8A9BE586440465C0F19C774A517F6B90C4541E6BDEC699F4

---- EOF - GMER 1.0.15 ----

i'm having some trouble getting otl to accept your list of files-still trying
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hold on the OTL at the moment I will kill the rootkit which should make things run a bit easier

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Drivers to delete:
PRAGMAbymbfgoidi

Files to delete:
C:\WINNT\PRAGMAbymbfgoidi\PRAGMAd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
toofeweyes

toofeweyes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
avenger.txt and combofix
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************
ComboFix 10-05-07.07 - tony 05/08/2010 12:05:16.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.440 [GMT -5:00]
Running from: c:\documents and settings\tony.S0027470697.000\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\tony.S0027470697.000\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\About.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Activate.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Buy.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Digital Protection.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Scan.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Settings.lnk
c:\documents and settings\tony.S0027470697.000\Start Menu\Programs\Digital Protection\Update.lnk
c:\program files\Digital Protection
c:\program files\Digital Protection\about.ico
c:\program files\Digital Protection\activate.ico
c:\program files\Digital Protection\buy.ico
c:\program files\Digital Protection\dig.db
c:\program files\Digital Protection\help.ico
c:\program files\Digital Protection\scan.ico
c:\program files\Digital Protection\settings.ico
c:\program files\Digital Protection\splash.mp3
c:\program files\Digital Protection\update.ico
c:\program files\Digital Protection\virus.mp3
c:\winnt\PRAGMAbymbfgoidi
c:\winnt\PRAGMAbymbfgoidi\PRAGMAc.dll
c:\winnt\PRAGMAbymbfgoidi\PRAGMAcfg.ini
c:\winnt\system32\drivers\sgglwma.sys
c:\winnt\system32\pragmabbr.dll
c:\winnt\system32\pragmaserf.dll
c:\winnt\system32\PRAGMAsrcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_qvbzl
-------\Service_qvbzl


((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))
.

2010-05-07 20:33 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-05-07 20:33 . 2010-05-07 20:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 20:33 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-05-07 20:27 . 2010-05-07 20:27 -------- d-----w- c:\program files\ERUNT
2010-05-07 17:25 . 2010-05-07 17:25 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Local Settings\Application Data\Threat Expert
2010-05-07 16:35 . 2010-05-07 19:23 -------- d-----w- c:\program files\Spyware Doctor
2010-05-07 16:34 . 2010-05-07 19:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-06 19:42 . 2010-05-06 19:42 -------- d-----w- c:\program files\iPod
2010-05-06 19:41 . 2010-05-06 19:43 -------- d-----w- c:\program files\iTunes
2010-05-06 19:28 . 2010-05-06 19:28 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 22:06 . 2010-05-04 22:06 -------- d-----w- c:\documents and settings\tony.S0027470697.000\GMArcade
2010-05-02 01:45 . 2010-05-02 01:45 552 ----a-w- c:\winnt\system32\d3d8caps.dat
2010-05-02 01:45 . 2010-05-02 02:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-05-02 00:43 . 2010-05-02 00:43 -------- d-----w- c:\program files\KO Interactive
2010-05-01 22:17 . 2010-05-01 22:17 -------- d-----w- c:\documents and settings\tony.S0027470697.000\WINDOWS
2010-05-01 22:01 . 2010-05-01 22:01 -------- d-----w- c:\program files\THQ
2010-04-24 02:53 . 2010-04-24 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
2010-04-23 16:29 . 2010-04-23 16:29 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-04-17 01:02 . 2010-04-17 01:02 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-17 01:02 . 2010-04-17 01:02 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-17 01:02 . 2010-04-17 01:02 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-17 01:02 . 2010-04-17 01:02 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-17 01:02 . 2010-04-17 01:02 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-17 01:02 . 2010-04-17 01:02 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-17 01:02 . 2010-04-17 01:02 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-17 01:02 . 2010-04-17 01:02 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-17 01:02 . 2010-04-17 01:02 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-17 01:01 . 2010-04-17 01:01 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-07 16:34 . 2006-04-08 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-07 05:42 . 2010-04-01 21:18 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Application Data\Apple Computer
2010-05-06 19:42 . 2010-03-27 00:03 -------- d-----w- c:\program files\Common Files\Apple
2010-05-06 19:41 . 2010-03-27 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-02 20:49 . 2003-08-03 17:35 -------- d-----w- c:\program files\Maxis
2010-05-02 20:38 . 2002-07-08 18:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 20:38 . 2005-08-28 21:26 -------- d-----w- c:\program files\Disney Interactive
2010-04-28 21:41 . 2009-10-08 22:14 75 ----a-w- c:\documents and settings\tony.S0027470697.000\jagex_runescape_preferences2.dat
2010-04-28 21:41 . 2009-10-08 22:13 41 ----a-w- c:\documents and settings\tony.S0027470697.000\jagex_runescape_preferences.dat
2010-04-24 03:20 . 2002-07-08 18:10 -------- d-----w- c:\program files\PhoneTools
2010-04-24 03:00 . 2004-08-20 12:38 -------- d-----w- c:\program files\Sierra
2010-04-23 17:31 . 2008-09-25 19:29 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-23 17:29 . 2003-11-19 20:13 -------- d-----w- c:\program files\Google
2010-04-23 16:34 . 2007-10-04 22:27 -------- d-----w- c:\program files\Java
2010-04-17 01:02 . 2002-07-08 18:08 -------- d-----w- c:\program files\Common Files\Real
2010-04-17 01:02 . 2002-07-08 18:09 -------- d-----w- c:\program files\Real
2010-04-17 01:01 . 2003-06-16 17:29 499712 ----a-w- c:\winnt\system32\msvcp71.dll
2010-04-05 21:54 . 2010-04-05 21:54 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Application Data\Uniblue
2010-04-05 21:00 . 2003-06-16 17:29 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2010-04-04 21:23 . 2010-04-04 21:23 0 ----a-w- c:\documents and settings\tony.S0027470697.000\jagex__preferences3.dat
2010-04-01 21:17 . 2010-04-01 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 21:03 . 2002-12-02 03:26 -------- d-----w- c:\program files\QuickTime
2010-04-01 20:57 . 2010-04-01 20:57 -------- d-----w- c:\program files\Safari
2010-04-01 20:52 . 2010-04-01 20:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-30 17:33 . 2008-01-21 12:43 4592 ----a-w- c:\winnt\cplaptop9.dat
2010-03-27 14:57 . 2010-03-09 19:14 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Application Data\SUPERAntiSpyware.com
2010-03-27 14:56 . 2010-03-09 19:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-27 02:50 . 2003-12-03 22:51 -------- d-----w- c:\program files\Lavasoft
2010-03-27 02:50 . 2007-09-20 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-27 00:03 . 2010-03-27 00:03 -------- d-----w- c:\program files\Apple Software Update
2010-03-27 00:03 . 2010-03-27 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-03-26 22:30 . 2010-03-26 22:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-03-26 20:38 . 2010-03-26 20:38 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys
2010-03-26 19:06 . 2009-08-24 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-26 16:09 . 2002-07-08 18:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-26 16:09 . 2004-08-17 00:47 -------- d-----w- c:\program files\Symantec
2010-03-14 08:49 . 2009-10-22 16:33 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Application Data\vlc
2010-03-14 04:25 . 2009-08-24 02:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-14 04:24 . 2010-03-14 04:24 -------- d-----w- c:\documents and settings\tony.S0027470697.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-14 04:21 . 2007-10-04 22:26 -------- d-----w- c:\program files\Common Files\Java
2010-03-14 04:20 . 2010-03-14 04:20 503808 ----a-w- c:\documents and settings\tony.S0027470697.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3eab9ef9-n\msvcp71.dll
2010-03-14 04:20 . 2010-03-14 04:20 499712 ----a-w- c:\documents and settings\tony.S0027470697.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3eab9ef9-n\jmc.dll
2010-03-14 04:20 . 2010-03-14 04:20 348160 ----a-w- c:\documents and settings\tony.S0027470697.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3eab9ef9-n\msvcr71.dll
2010-03-14 04:20 . 2010-03-14 04:20 61440 ----a-w- c:\documents and settings\tony.S0027470697.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-706a7cd3-n\decora-sse.dll
2010-03-14 04:20 . 2010-03-14 04:20 12800 ----a-w- c:\documents and settings\tony.S0027470697.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-706a7cd3-n\decora-d3d.dll
2010-03-12 23:27 . 2010-03-01 23:56 -------- d-----w- c:\program files\ESET
2010-03-10 23:21 . 2003-12-03 22:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-10 23:21 . 2003-12-03 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-09 19:15 . 2010-03-09 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-05 21:53 . 2010-03-05 21:57 193362 ----a-w- c:\winnt\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
2010-02-10 17:13 . 2010-03-26 22:30 165376 ----a-w- c:\winnt\system32\unrar.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-06 101611]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-17 202256]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\winnt\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\winnt\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\winnt\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Program Files\\ubi.com\\Core\\GS4.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 ehdrv;ehdrv;c:\winnt\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [11/16/2009 10:06 AM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [11/16/2009 9:04 AM 735960]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2010 12:48 PM 135664]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 6:42 AM 64000]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\winnt\system32\drivers\ScreamingBAudio.sys --> c:\winnt\system32\drivers\ScreamingBAudio.sys [?]
S4 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-01-30 c:\winnt\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8090275553.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]

2010-05-08 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 01:04]

2010-05-08 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 17:48]

2010-05-08 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 17:48]

2010-05-08 c:\winnt\Tasks\RealUpgradeLogonTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-05-08 c:\winnt\Tasks\RealUpgradeScheduledTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\
FF - prefs.js: browser.search.selectedEngine - Answers.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-OODefragTray - c:\winnt\system32\oodtray.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="893219CF8F71C293134256F48AA7681B992BB025D56DE3E3AF3E81529002343716DE4D876508007F81185D07A24DB74F7798F0C35863D240BA6
AFD238F8B0F2241077A910869CB7243B6BE6B0F0EEC29D0C4F3A75D53D7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7
4CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DA6171C11EC38DE3DBA7FD869164D6794841153143313E5D73A415E5
E45D8983A82F5FC239FB978328613DDB80DD6021367E687C09088AA9D0A408912123A33F9359DF9BB68DFD4397D624A122B79377000A5E3CA5BA2B9DA
700C1AAECFBA0F1677AE6DD5028F1DE15B1B95F89EA3C17B7ED8684C68844D84AD87886FF1A669F3B586626D9C5CB6225BB2014AEF55485E0CAD2DA14
0B37193F139DED11C2DD4FECFA479C0193F55F628C1E126616DC945BF755DEA1F99860668CCBC182961B6A4992CE7D20F9406606405A27066B313DF29
A6B30F7606415D2890D5C7A6BA49D85B65F46B471C26DF245D3F5124504A63C9DA0636692B2B2042F6F12C55169A92CF3CFC15427B687FF0514835785
065881850B84FD01FA057B9196BD22B308A4B2AC0711F32BA55494887E4CBF125B08CFD684708395BD210842F310ED0AE51820B26559D7D45C5CD9A4D
4D09D4A5CBAFD8A9BE586440465C0F19C774A517F6B90C4541E6BDEC699F4D15CEA6970AABB57ABD42F8C50FD2D1B75BC55FB9D65A783999E195C1644
3D738F14C9EE5EF9667AA7207E6866EA68BD01A56ED523BAB49124376898C46A891A91EB7B29F59A89322BA59E18269C2A4A22238806A79F23B8B86D4
E6D48D47EB62F49DE6D8AAD2870F2A9571C9EC7941E762403FAEA708DF0DC9E31285999A8A97F91982582DD79B147CAF5DA1CB7685CE6B541480421AC
EF11BA0B93B317795F1CFDD929A0FCEA4468F2B3203BCB59B7B7771ABF4282A230C289B4ACA7B04B90E402E66CC62A582AF642543995B863084DF2478
D61D8E7A9DC6787739843B25FDB76513D41A9994CF224B2346240FF5742312B123C770F75FECEEB8C1BDEA8A46C76F6F4A92403E17915E2D1EFAC7234
A64F1D10C34CD41FDB84C49D2FA38A4DFA44F99F607016AEB21367CE824FD6F7AEA0E95F5D1F70398E8F1A98E7497AC372798705B1A960529E1BD7423
CCD09A6A21C7007A73956A43E0D0994B465462AECC75182B51137D1C0BEFB8FD81B7E476961056E6D1A0AA86A9742494F10E8B9AB623F74E14D74A867
5E2325DB4F894EB7D6E243E0666F85DED781128DB366C44A8F2BE5F329D621E203A0FD9BDB2F3902E8037B41187123AFE0B7278CA9554678C4AD9ADDB
F0C30FABB2C0BFD6554F98A173A03457FA34FD4F72192D6DC40FB6EF217F3EA6B06FF4DE18FA901EA4F7B0F68AB6DA9D0B210377861D9FD1B37457"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4056)
c:\winnt\system32\WININET.dll
c:\winnt\system32\IEFRAME.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\winnt\System32\NMSSvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\winnt\GWMDMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-08 12:26:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-08 17:26
ComboFix2.txt 2010-03-25 15:41
ComboFix3.txt 2010-03-09 18:53

Pre-Run: 57,300,258,816 bytes free
Post-Run: 57,210,236,928 bytes free

- - End Of File - - 76E9683BB64DEA99094CDAFAC7458CC8

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "PRAGMAbymbfgoidi" deleted successfully.
File "C:\WINNT\PRAGMAbymbfgoidi\PRAGMAd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by toofeweyes, 08 May 2010 - 11:30 AM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK looks better :) Can you let me know of any problems on completion please

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

THEN

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#7
toofeweyes

toofeweyes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/8/2010 1:27:43 PM
mbam-log-2010-05-08 (13-27-43).txt

Scan type: Quick scan
Objects scanned: 152970
Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
OTL logfile created on: 5/8/2010 1:56:50 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\tony.S0027470697.000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

766.00 Mb Total Physical Memory | 417.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1150 1300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 53.30 Gb Free Space | 71.52% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: S0027470697
Current User Name: tony
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/08 13:48:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\tony.S0027470697.000\Desktop\OTL.exe
PRC - [2010/04/16 20:01:14 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2009/11/16 09:03:32 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe
PRC - [2005/03/23 18:26:09 | 000,217,088 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\point32.exe
PRC - [2003/08/22 02:24:08 | 000,426,098 | ---- | M] (Executive Software International, Inc.) -- C:\Program Files\Executive Software\Diskeeper\DkService.exe
PRC - [2002/05/03 12:36:24 | 001,118,208 | ---- | M] (Intel Corporation) -- C:\WINNT\system32\NMSSvc.Exe
PRC - [2002/03/06 10:08:36 | 000,101,611 | ---- | M] (GTW) -- C:\WINNT\GWMDMMSG.exe


========== Modules (SafeList) ==========

MOD - [2010/05/08 13:48:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\tony.S0027470697.000\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (PictureTaker)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/11/16 09:12:54 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/11/16 09:04:30 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2008/05/21 06:42:56 | 000,064,000 | ---- | M] (Creative Technology Ltd) [On_Demand | Stopped] -- C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe -- (CTUPnPSv)
SRV - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe -- (CTDevice_Srv)
SRV - [2005/03/30 17:46:56 | 000,411,920 | ---- | M] (Eastman Kodak Company) [On_Demand | Stopped] -- C:\WINNT\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - [2003/08/22 02:24:08 | 000,426,098 | ---- | M] (Executive Software International, Inc.) [Auto | Running] -- C:\Program Files\Executive Software\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2003/03/09 15:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINNT\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/02/08 14:10:57 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINNT\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
SRV - [2002/05/03 12:36:24 | 001,118,208 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINNT\system32\NMSSvc.Exe -- (NMSSvc) Intel®


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/11/16 10:06:50 | 000,096,408 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINNT\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/11/16 10:03:36 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINNT\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/11/16 09:56:12 | 000,116,520 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINNT\system32\drivers\eamon.sys -- (eamon)
DRV - [2005/06/16 15:41:02 | 000,037,150 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINNT\system32\drivers\DcCam.sys -- (DcCam)
DRV - [2005/03/31 09:00:08 | 000,152,081 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINNT\system32\drivers\ExportIt.sys -- (Exportit)
DRV - [2005/03/31 08:47:56 | 000,070,262 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\DcPtp.sys -- (DcPTP)
DRV - [2005/03/31 08:47:50 | 000,008,022 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\DcLps.sys -- (DcLps)
DRV - [2005/03/31 08:47:48 | 000,038,673 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\DCFS2k.sys -- (DCFS2K)
DRV - [2005/03/31 08:47:42 | 000,061,564 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\DcFpoint.sys -- (DcFpoint)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/02/08 14:10:54 | 000,011,376 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2002/05/03 12:36:44 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/04/11 22:21:38 | 000,013,335 | R--- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2002/03/06 10:08:34 | 001,167,936 | ---- | M] (GTW) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\GWMDM.sys -- (GTWModem)
DRV - [2002/02/28 08:47:04 | 000,233,984 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\system32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/02/28 08:47:04 | 000,110,278 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2002/02/28 08:47:04 | 000,024,918 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/02/28 08:47:04 | 000,024,502 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/02/28 08:47:00 | 000,057,136 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/02/28 08:47:00 | 000,023,721 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINNT\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/01/23 13:59:24 | 000,206,208 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINNT\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINNT\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:28:00 | 000,871,388 | ---- | M] (BCM) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\BCMDM.sys -- (BCMModem)
DRV - [2001/08/17 12:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Answers.com"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.3
FF - prefs.js..extensions.enabledItems: [email protected]:4.0.3
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: {5C46D283-ABDE-4dce-B83C-08881401921C}:2.0.2
FF - prefs.js..extensions.enabledItems: {FBF6D7FB-F305-4445-BB3D-FEF66579A033}:4.9
FF - prefs.js..extensions.enabledItems: {1f91cde0-c040-11da-a94d-0800200c9a66}:3.0.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/17 02:26:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/04/16 20:02:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/16 20:02:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/23 11:29:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/04/23 11:32:19 | 000,000,000 | ---D | M]

[2009/10/07 15:15:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Extensions
[2010/05/07 15:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions
[2010/04/16 20:32:07 | 000,000,000 | ---D | M] (RSS Ticker) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{1f91cde0-c040-11da-a94d-0800200c9a66}
[2010/03/12 21:47:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/05 16:50:04 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
[2010/04/25 09:03:30 | 000,000,000 | ---D | M] (Google Shortcuts) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{5C46D283-ABDE-4dce-B83C-08881401921C}
[2010/04/16 19:53:17 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/03/15 13:23:36 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/16 21:03:55 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/03/14 11:53:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010/03/12 18:52:24 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/04/16 20:32:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2010/04/05 16:50:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Mozilla\Firefox\Profiles\omeg6iys.default\extensions\[email protected]
[2010/05/07 15:26:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/23 11:29:50 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/06/18 01:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/04/23 11:29:10 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/08 12:17:46 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [GWMDMMSG] C:\WINNT\GWMDMMSG.exe (GTW)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\AutorunsDisabled: wininet.dll = regperf.exe
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINNT\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} http://myitlab.pears...ces/ax/stub.cab (Enlite 2.x Simulation Engine Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.115.71.53 24.213.60.93 24.196.64.53
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINNT\webshots.bmp
O24 - Desktop BackupWallPaper: C:\WINNT\webshots.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/07/08 13:28:12 | 000,000,004 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINNT\system32\ias [2010/05/08 12:17:07 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/08 13:49:10 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\tony.S0027470697.000\Desktop\OTL.exe
[2010/05/08 13:47:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 11:51:27 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/05/07 15:33:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/05/07 15:33:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/05/07 15:33:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/07 15:27:07 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/07 12:25:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Local Settings\Application Data\Threat Expert
[2010/05/07 11:38:05 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINNT\PCTBDCore.dll.old
[2010/05/07 11:35:06 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/05/07 11:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/06 14:42:17 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/06 14:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/06 14:34:09 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/05/04 17:06:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\GMArcade
[2010/05/01 19:43:53 | 000,000,000 | ---D | C] -- C:\Program Files\KO Interactive
[2010/05/01 17:17:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\WINDOWS
[2010/05/01 17:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\THQ
[2010/04/23 21:53:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2010/04/16 20:01:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/04/05 16:54:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Uniblue
[2010/04/05 11:37:19 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\tony.S0027470697.000\Recent
[2010/04/01 16:18:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Apple Computer
[2010/04/01 16:15:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/01 15:57:08 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
[2010/03/26 19:05:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/03/26 19:03:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2010/03/26 19:03:06 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/03/26 19:03:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2010/03/26 17:30:10 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2010/03/26 15:38:29 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINNT\System32\drivers\SBREDrv.sys
[2010/03/25 10:41:56 | 000,000,000 | ---D | C] -- C:\WINNT\temp
[2010/03/15 12:32:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\dwhelper
[2010/03/14 14:45:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\My Documents\iMacros
[2010/03/13 23:43:46 | 000,000,000 | ---D | C] -- C:\WINNT\System32\Adobe
[2010/03/13 23:24:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/03/13 23:21:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/11 14:24:36 | 000,116,224 | ---- | C] (Xerox) -- C:\WINNT\System32\dllcache\xrxwiadr.dll
[2010/03/11 14:19:28 | 000,149,376 | ---- | C] (M-Systems) -- C:\WINNT\System32\dllcache\tffsport.sys
[2010/03/11 14:15:39 | 000,029,696 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINNT\System32\dllcache\rw450ext.dll
[2010/03/11 14:15:38 | 000,027,648 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINNT\System32\dllcache\rw430ext.dll
[2010/03/11 14:15:20 | 000,079,104 | ---- | C] (Comtrol Corporation) -- C:\WINNT\System32\dllcache\rocket.sys
[2010/03/11 14:04:50 | 000,028,288 | ---- | C] (Gemplus) -- C:\WINNT\System32\dllcache\grserial.sys
[2010/03/11 14:00:46 | 000,249,856 | ---- | C] (Comtrol® Corporation) -- C:\WINNT\System32\dllcache\ctmasetp.dll
[2010/03/09 19:55:49 | 000,000,000 | ---D | C] -- C:\WINNT\System32\oodag
[2010/03/09 18:46:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\My Documents\O&O
[2010/03/09 14:15:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/03/09 14:14:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\SUPERAntiSpyware.com
[2010/03/09 14:14:12 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/03/09 13:37:30 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/09 13:35:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe
[2010/03/09 13:35:16 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe
[2010/03/09 13:35:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe
[2010/03/09 13:35:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe
[2010/03/09 13:30:02 | 000,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2010/03/09 13:29:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/09 12:11:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Malwarebytes
[2010/03/09 12:11:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/05 13:38:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\MSN6
[2010/03/05 12:57:25 | 000,000,000 | ---D | C] -- C:\PFiles
[2010/03/01 19:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\tony.S0027470697.000\Local Settings\Application Data\ESET
[2010/03/01 19:00:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2010/03/01 18:56:44 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/03/01 18:56:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/02/10 00:33:02 | 000,000,000 | ---D | C] -- C:\indhub_filez

========== Files - Modified Within 90 Days ==========

[2010/05/08 13:48:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\tony.S0027470697.000\Desktop\OTL.exe
[2010/05/08 13:13:55 | 000,000,284 | ---- | M] () -- C:\WINNT\tasks\RealUpgradeScheduledTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
[2010/05/08 13:13:55 | 000,000,276 | ---- | M] () -- C:\WINNT\tasks\RealUpgradeLogonTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
[2010/05/08 13:05:11 | 000,000,886 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/08 12:35:32 | 000,000,868 | ---- | M] () -- C:\WINNT\tasks\Google Software Updater.job
[2010/05/08 12:18:13 | 000,000,182 | ---- | M] () -- C:\WINNT\system.ini
[2010/05/08 12:17:46 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2010/05/08 12:17:33 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2010/05/08 12:17:31 | 000,000,882 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/08 12:16:45 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/08 12:16:42 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2010/05/08 12:15:40 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\ntuser.dat
[2010/05/08 12:15:40 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\tony.S0027470697.000\ntuser.ini
[2010/05/08 11:58:57 | 003,684,271 | R--- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\ComboFix.exe
[2010/05/08 11:34:39 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\avenger.zip
[2010/05/08 11:11:29 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/05/07 17:17:01 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\gmer.zip
[2010/05/07 15:33:26 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/07 15:27:08 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\NTREGOPT.lnk
[2010/05/07 15:27:08 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\ERUNT.lnk
[2010/05/06 14:43:10 | 000,001,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/06 11:15:02 | 000,000,284 | ---- | M] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job
[2010/05/02 16:01:18 | 001,044,610 | -H-- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Local Settings\Application Data\IconCache.db
[2010/05/02 15:38:52 | 000,001,584 | ---- | M] () -- C:\WINNT\disney.ini
[2010/05/02 11:23:34 | 000,000,447 | ---- | M] () -- C:\WINNT\win.ini
[2010/05/02 11:16:49 | 000,000,372 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\spider.sav
[2010/05/01 21:49:55 | 000,000,664 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2010/05/01 20:45:52 | 000,000,552 | ---- | M] () -- C:\WINNT\System32\d3d8caps.dat
[2010/05/01 17:53:22 | 000,211,968 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\awsome slide.ppt
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/04/28 16:41:58 | 000,000,075 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\jagex_runescape_preferences2.dat
[2010/04/28 16:41:58 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\jagex_runescape_preferences.dat
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINNT\PEV.exe
[2010/04/23 22:20:25 | 000,000,015 | ---- | M] () -- C:\WINNT\wgedit.ini
[2010/04/16 20:01:18 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINNT\System32\pncrt.dll
[2010/04/04 16:23:13 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\jagex__preferences3.dat
[2010/03/30 12:33:01 | 000,004,592 | ---- | M] () -- C:\WINNT\cplaptop9.dat
[2010/03/30 11:31:14 | 007,426,545 | ---- | M] () -- C:\WINNT\Slideshw.ini
[2010/03/26 15:38:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINNT\System32\drivers\SBREDrv.sys
[2010/03/26 15:30:50 | 000,014,282 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\cc_20100326_153046.reg
[2010/03/14 04:22:56 | 000,001,526 | ---- | M] () -- C:\WINNT\Mpcwty02.ini
[2010/03/11 16:16:08 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/10 13:31:08 | 000,000,323 | ---- | M] () -- C:\WINNT\wininit.ini
[2010/03/10 12:02:41 | 000,000,000 | ---- | M] () -- C:\WINNT\oodcnt.INI
[2010/03/09 13:37:38 | 000,000,278 | --S- | M] () -- C:\boot.ini
[2010/02/17 01:13:40 | 000,001,827 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\CoPilot Truck - Laptop 9 User Guide.lnk
[2010/02/17 01:13:40 | 000,001,827 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\CoPilot Truck - Laptop 9 User Guide.lnk
[2010/02/17 01:11:16 | 000,001,776 | ---- | M] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\CoPilot Truck - Laptop 9.lnk
[2010/02/10 12:13:48 | 000,165,376 | ---- | M] () -- C:\WINNT\System32\unrar.dll

========== Files Created - No Company Name ==========

[2010/05/08 11:58:57 | 003,684,271 | R--- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\ComboFix.exe
[2010/05/08 11:34:39 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\avenger.zip
[2010/05/07 17:17:25 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\gmer.zip
[2010/05/07 15:33:26 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/07 15:27:08 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\NTREGOPT.lnk
[2010/05/07 15:27:08 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\ERUNT.lnk
[2010/05/06 14:43:10 | 000,001,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/01 20:45:52 | 000,000,552 | ---- | C] () -- C:\WINNT\System32\d3d8caps.dat
[2010/05/01 20:45:45 | 000,000,664 | ---- | C] () -- C:\WINNT\System32\d3d9caps.dat
[2010/05/01 17:47:52 | 000,211,968 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\awsome slide.ppt
[2010/05/01 16:56:19 | 000,000,372 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\spider.sav
[2010/04/23 22:20:25 | 000,000,015 | ---- | C] () -- C:\WINNT\wgedit.ini
[2010/04/05 16:02:07 | 000,000,276 | ---- | C] () -- C:\WINNT\tasks\RealUpgradeLogonTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
[2010/04/05 16:02:06 | 000,000,284 | ---- | C] () -- C:\WINNT\tasks\RealUpgradeScheduledTaskS-1-5-21-3253555194-248915221-3852222622-1006.job
[2010/04/04 16:23:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\jagex__preferences3.dat
[2010/03/29 14:27:28 | 000,001,827 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\CoPilot Truck - Laptop 9 User Guide.lnk
[2010/03/26 19:03:12 | 000,000,284 | ---- | C] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job
[2010/03/26 17:30:19 | 000,165,376 | ---- | C] () -- C:\WINNT\System32\unrar.dll
[2010/03/26 15:30:48 | 000,014,282 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\My Documents\cc_20100326_153046.reg
[2010/03/11 16:16:08 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/11 14:24:34 | 000,018,944 | ---- | C] () -- C:\WINNT\System32\dllcache\xrxscnui.dll
[2010/03/11 12:48:57 | 000,000,886 | ---- | C] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/11 12:48:56 | 000,000,882 | ---- | C] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/10 12:02:41 | 000,000,000 | ---- | C] () -- C:\WINNT\oodcnt.INI
[2010/03/09 13:37:38 | 000,000,208 | ---- | C] () -- C:\Boot.bak
[2010/03/09 13:37:34 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/09 13:35:21 | 000,077,312 | ---- | C] () -- C:\WINNT\MBR.exe
[2010/03/09 13:35:17 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2010/03/09 13:35:16 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2010/03/09 13:35:16 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2010/03/09 13:35:16 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2010/03/03 23:51:13 | 003,407,872 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\ntuser.dat
[2010/02/17 01:13:40 | 000,001,827 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\CoPilot Truck - Laptop 9 User Guide.lnk
[2010/02/17 01:11:16 | 000,001,776 | ---- | C] () -- C:\Documents and Settings\tony.S0027470697.000\Desktop\CoPilot Truck - Laptop 9.lnk
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINNT\System32\OGACheckControl.dll
[2008/01/04 20:50:41 | 000,185,344 | ---- | C] () -- C:\WINNT\patchw32.dll
[2006/05/20 00:41:44 | 000,000,020 | ---- | C] () -- C:\WINNT\InfModM.ini
[2006/05/04 20:55:00 | 000,027,136 | ---- | C] () -- C:\WINNT\System32\VERMONT1.DLL
[2006/05/04 20:55:00 | 000,012,416 | ---- | C] () -- C:\WINNT\System32\VRX1.DLL
[2006/05/04 20:54:59 | 000,107,520 | ---- | C] () -- C:\WINNT\System32\SIMANT.DLL
[2006/03/20 14:25:53 | 000,000,055 | ---- | C] () -- C:\WINNT\VistaEmail.ini
[2006/03/01 13:31:19 | 000,000,026 | ---- | C] () -- C:\WINNT\DfrgUIEx.INI
[2006/01/27 19:28:24 | 000,000,000 | ---- | C] () -- C:\WINNT\Webspace.INI
[2005/07/12 13:31:16 | 000,204,800 | ---- | C] () -- C:\WINNT\System32\KPDVS.dll
[2005/02/27 16:32:20 | 000,000,032 | ---- | C] () -- C:\WINNT\AuthMgr.INI
[2004/10/11 21:03:49 | 000,000,000 | ---- | C] () -- C:\WINNT\hpqEmlsz.INI
[2004/08/12 19:03:04 | 000,000,045 | ---- | C] () -- C:\WINNT\iltwain.ini
[2004/08/12 17:21:21 | 000,000,018 | ---- | C] () -- C:\WINNT\cnc.ini
[2004/08/12 17:03:07 | 000,000,000 | ---- | C] () -- C:\WINNT\PROTOCOL.INI
[2004/07/22 20:23:08 | 000,000,021 | ---- | C] () -- C:\WINNT\PI4_setup.ini
[2004/07/22 20:04:36 | 000,000,021 | ---- | C] () -- C:\WINNT\PMK_setup.ini
[2004/06/16 17:09:45 | 000,000,011 | ---- | C] () -- C:\WINNT\ka.ini
[2004/05/31 10:36:52 | 000,000,482 | ---- | C] () -- C:\WINNT\hegames.ini
[2004/04/20 23:09:52 | 000,000,155 | ---- | C] () -- C:\WINNT\sb_affiliate.ini
[2004/04/20 09:36:02 | 000,000,400 | ---- | C] () -- C:\WINNT\System32\master.dll
[2004/04/11 09:22:39 | 000,000,323 | ---- | C] () -- C:\WINNT\wininit.ini
[2004/02/07 16:25:19 | 000,000,048 | ---- | C] () -- C:\WINNT\PerWin.ini
[2003/12/04 10:43:15 | 000,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2003/12/03 19:03:44 | 000,071,749 | ---- | C] () -- C:\WINNT\HCExtOutput.dll
[2003/12/03 19:03:44 | 000,000,823 | ---- | C] () -- C:\WINNT\TSC.ini
[2003/12/03 19:03:10 | 000,000,170 | ---- | C] () -- C:\WINNT\GetServer.ini
[2003/09/14 20:57:46 | 000,000,069 | ---- | C] () -- C:\WINNT\System32\msrev0.dll
[2003/05/17 22:35:48 | 000,172,128 | ---- | C] () -- C:\WINNT\msview.ini
[2003/04/26 16:20:33 | 000,000,002 | ---- | C] () -- C:\WINNT\msoffice.ini
[2003/03/14 23:28:37 | 000,458,752 | ---- | C] () -- C:\WINNT\GoogleToolbar_en_1.1.70-big.dll
[2003/03/09 15:31:04 | 000,561,152 | ---- | C] () -- C:\WINNT\System32\hpotscl.dll
[2003/02/08 14:18:33 | 000,001,526 | ---- | C] () -- C:\WINNT\Mpcwty02.ini
[2003/02/08 14:10:57 | 000,202,752 | ---- | C] () -- C:\WINNT\CDAC14BA.DLL
[2003/02/08 14:10:55 | 000,011,376 | ---- | C] () -- C:\WINNT\System32\drivers\CdaC15BA.SYS
[2003/02/05 20:10:54 | 000,000,064 | ---- | C] () -- C:\WINNT\QBWCD.INI
[2002/12/27 19:30:57 | 000,021,840 | ---- | C] () -- C:\WINNT\System32\SIntfNT.dll
[2002/12/27 19:30:57 | 000,017,212 | ---- | C] () -- C:\WINNT\System32\SIntf32.dll
[2002/12/09 23:16:26 | 007,426,545 | ---- | C] () -- C:\WINNT\Slideshw.ini
[2002/11/30 23:38:16 | 000,000,063 | ---- | C] () -- C:\WINNT\SANTAS~1.ini
[2002/10/24 08:54:18 | 000,000,171 | ---- | C] () -- C:\WINNT\INTUIT.INI
[2002/10/24 08:10:34 | 000,000,185 | ---- | C] () -- C:\WINNT\intuprof.ini
[2002/10/24 08:10:06 | 000,000,924 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2002/10/23 19:15:24 | 000,001,584 | ---- | C] () -- C:\WINNT\disney.ini
[2002/10/04 23:15:18 | 000,024,368 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2002/09/26 21:04:30 | 000,000,594 | ---- | C] () -- C:\WINNT\WSST_Screen_Saver.ini
[2002/09/18 18:21:27 | 000,000,021 | ---- | C] () -- C:\WINNT\progman.ini
[2002/09/15 19:23:26 | 000,306,688 | ---- | C] () -- C:\WINNT\System32\LFFPX7.DLL
[2002/09/15 19:23:26 | 000,095,232 | ---- | C] () -- C:\WINNT\System32\LFKODAK.DLL
[2002/09/15 19:22:53 | 000,044,544 | ---- | C] () -- C:\WINNT\System32\gif89.dll
[2002/09/15 19:19:09 | 000,000,062 | ---- | C] () -- C:\WINNT\SIERRA.INI
[2002/07/08 13:33:15 | 000,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2002/07/08 13:13:58 | 000,377,600 | ---- | C] () -- C:\WINNT\System32\BOCOLE.DLL
[2002/07/08 13:13:58 | 000,167,456 | ---- | C] () -- C:\WINNT\System32\Bocof.dll
[2002/07/08 13:13:58 | 000,004,051 | ---- | C] () -- C:\WINNT\unwise32.ini
[2002/07/08 13:13:58 | 000,004,051 | ---- | C] () -- C:\WINNT\unwise.ini
[2002/07/08 13:13:34 | 000,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2002/07/08 13:09:21 | 000,069,632 | ---- | C] () -- C:\WINNT\System32\PROInst.dll
[2002/07/08 13:09:21 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\NMSInst.dll
[2002/07/08 13:08:21 | 000,000,698 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2002/03/13 17:46:46 | 000,053,248 | R--- | C] () -- C:\WINNT\System32\zlib.dll
[2001/10/09 14:27:17 | 000,000,872 | ---- | C] () -- C:\WINNT\orun32.ini
[2000/09/08 18:53:50 | 000,073,839 | ---- | C] () -- C:\WINNT\System32\KodakOneTouch.dll
[1999/12/02 13:01:20 | 000,229,376 | ---- | C] () -- C:\WINNT\System32\ISP2000.dll
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINNT\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINNT\AuHCcup1.dll
[1998/10/22 22:46:00 | 000,047,104 | ---- | C] () -- C:\WINNT\System32\wh2robo.dll
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINNT\System32\sysres.dll
[1998/05/27 15:13:34 | 000,032,256 | ---- | C] () -- C:\WINNT\System32\_UNODBC.dll
[1997/11/10 15:18:48 | 000,010,240 | ---- | C] () -- C:\WINNT\System32\vidx16.dll
[1997/06/13 19:56:08 | 000,056,832 | ---- | C] () -- C:\WINNT\System32\iyvu9_32.dll
[1980/01/01 00:00:00 | 000,262,144 | ---- | C] () -- C:\WINNT\System32\shpshftr.dll
[1980/01/01 00:00:00 | 000,009,785 | ---- | C] () -- C:\WINNT\System32\drivers\a312.sys

========== LOP Check ==========

[2008/01/25 23:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2002/12/01 22:25:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Disney Interactive
[2009/03/31 19:40:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2010/03/01 18:56:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/04/23 21:53:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2006/05/26 14:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Geek Squad
[2007/09/20 15:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2009/09/19 11:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\myitlab
[2008/11/30 00:26:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Screaming Bee
[2010/05/07 14:22:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/30 19:31:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames
[2009/04/02 17:33:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{333D5C37-01AF-4BD4-8380-38D8974725EE}
[2010/04/01 16:17:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/04/02 17:34:28 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{615DB4DC-B7C1-4125-9858-78EF460B76D2}
[2010/03/13 23:24:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2002/07/08 13:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\InterTrust
[2010/04/05 16:54:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\tony.S0027470697.000\Application Data\Uniblue
[2005/01/29 20:24:54 | 000,000,358 | ---- | M] () -- C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1090275553.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/10/16 11:11:33 | 022,245,337 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/20 16:37:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/10/16 11:11:33 | 022,245,337 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/01/20 16:37:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\system32\dllcache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\system32\drivers\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\system32\ReinstallBackups\0014\DriverFiles\i386\AGP440.SYS
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] () Unable to obtain MD5 -- C:\WINNT\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/10/29 09:04:37 | 012,091,533 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp1.cab:atapi.sys
[2004/10/16 11:11:33 | 022,245,337 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/20 16:37:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\Driver Cache\i386\sp3.cab:atapi.sys
[2002/10/29 09:04:37 | 012,091,533 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp1.cab:atapi.sys
[2004/10/16 11:11:33 | 022,245,337 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/01/20 16:37:37 | 023,852,652 | ---- | M] () .cab file -- C:\WINNT\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\system32\dllcache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\system32\drivers\atapi.sys
[2001/08/17 13:51:56 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] () Unable to obtain MD5 -- C:\WINNT\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\system32\dllcache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\system32\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] () Unable to obtain MD5 -- C:\WINNT\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\system32\dllcache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\system32\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] () Unable to obtain MD5 -- C:\WINNT\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\system32\dllcache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\system32\scecli.dll
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] () Unable to obtain MD5 -- C:\WINNT\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 05:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINNT\system32\dxtmsft.dll
[2010/01/05 05:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINNT\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2001/10/09 14:03:32 | 000,090,112 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2001/10/09 14:03:32 | 000,630,784 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2001/10/09 14:03:32 | 000,385,024 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbamswissarmy.sys
[2010/03/26 15:38:20 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINNT\system32\drivers\SBREDrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
What problems do you have now ?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

  • 0

#9
toofeweyes

toofeweyes

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
All processes killed
Error: Unable to interpret <OTL> in the current context!
Error: Unable to interpret <IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555> in the current context!
Error: Unable to interpret <O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.> in the current context!
========== COMMANDS ==========
C:\WINNT\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Application Data

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: New Folder

User: Owner

User: tony
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: tony.S0027470697
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: tony.S0027470697.000
->Temp folder emptied: 3738 bytes
->Temporary Internet Files folder emptied: 6250253 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 83991364 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 5161 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 439 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Application Data

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: New Folder

User: Owner

User: tony
->Flash cache emptied: 0 bytes

User: tony.S0027470697
->Flash cache emptied: 0 bytes

User: tony.S0027470697.000
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.4.1 log created on 05092010_125435

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...




OK-ran OTL as informed, took less than a minute-pc seems to be running perfectly-thank you for your help...one more question...I have
ESET NOD32 running as my antivirus. From reading info on this site I think I need to have SUPERAntiSpyware added as well as COMODO firewall. I have windows firewall running now and am wondering if I should change to COMODO. Thanks again for your help and patience with a computer illiterate.
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem at all - one final task for you

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer


And for Firefox there are instructions on this page and you want the setting to be no proxy

From reading info on this site I think I need to have SUPERAntiSpyware added as well as COMODO firewall. I have windows firewall running now and am wondering if I should change to COMODO. Thanks again for your help and patience with a computer illiterate.

Comodo would be a good addition as windows firewall is one way only. Use either SAS or MBAM as they are both as good

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP