Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspicious in & Worm.Conficker.b in & Crazy mouse movements

Started by plan2scan , May 23 2010 12:52 AM

  • Please log in to reply

#1
plan2scan
Posted 23 May 2010 - 12:52 AM

plan2scan

    New Member

  • Member
  • Pip
  • 5 posts
HI geeks,

I've been getting these virus notifications that constantly pop-uop on screen at least once during each session on my comp (desktop). In addition there is a virus notic that comes up on start-up saying an infected file rundll.exe (or something similar) can't remember right now cause it comes up on start-up and then is cleared and I can't find it in the anti-virus regisrty/reports. I have Quick Heal installed on my system. the reports I found here were :

Report for - Quick Heal Online Protection
Friday, 21 May, 2010, Time 12:41:44
Quick Heal Version - 10.00
Virus database - 19 May 2010

-----------------------------------------------------------------------------------------------------------------
Detected: Worm.Conficker.b in
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\R5WQ3AJO\llipb[1].gif
Action taken: Deleted


Report for - Quick Heal Online Protection
Friday, 21 May, 2010, Time 12:41:44
Quick Heal Version - 10.00
Virus database - 19 May 2010

-----------------------------------------------------------------------------------------------------------------
Detected: Suspicious in
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\R5WQ3AJO\llipb[1].gif
Action taken: Access denied


I've performed all the steps mentioned in your virus detection/removal topic such as TFC, ERUNT, MBAM & a complete system scan by Quick Heal and I also did OTL quick scan (twice) but for some reason the program hung (after completing the Scan), though it did seem to generate the reports in the folder as mentioned. Don't really know why this was happening. I'm copying the MBAM & rootkit & OTL logs below.

In addition to this problem, I also have an issue with my mouse as it keeps randomly jumping to various corners of the screen (generally top left) while working and acts all weird. Could this also be an effects of the virus?

I would appreciate any help you'll can lend me to get rid of this attack. cheers!

MBAM Log :

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

5/23/2010 10:44:53 AM
mbam-log-2010-05-23 (10-44-53).txt

Scan type: Quick scan
Objects scanned: 117711
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER / ARK log :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 11:40:00
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\test\LOCALS~1\Temp\uwtyraob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp emltdi.sys (emltdi.sys/Quick Heal Technologies (P) Ltd.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort3 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-8 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort4 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort5 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort6 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort7 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1d AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)

---- EOF - GMER 1.0.15 ----


OTL Logs :

OTL logfile created on: 5/23/2010 11:56:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = I:\Virus Alert
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 58.82 Gb Free Space | 60.23% Space Free | Partition Type: NTFS
Drive D: | 100.00 Gb Total Space | 25.84 Gb Free Space | 25.84% Space Free | Partition Type: NTFS
Drive E: | 100.43 Gb Total Space | 5.17 Gb Free Space | 5.15% Space Free | Partition Type: NTFS
Drive F: | 3.76 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 31.74 Gb Total Space | 13.82 Gb Free Space | 43.56% Space Free | Partition Type: NTFS
Drive H: | 97.65 Gb Total Space | 39.31 Gb Free Space | 40.26% Space Free | Partition Type: NTFS
Drive I: | 103.48 Gb Total Space | 34.42 Gb Free Space | 33.26% Space Free | Partition Type: NTFS

Computer Name: ANDDESIGN2
Current User Name: test
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/15 21:45:49 | 000,134,488 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\scanwscs.exe
PRC - [2010/04/05 19:49:25 | 000,561,664 | ---- | M] (OldTimer Tools) -- I:\Virus Alert\OTL.exe
PRC - [2010/04/02 16:50:25 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/24 09:40:44 | 000,654,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\bittorrent.exe
PRC - [2009/11/11 10:57:36 | 001,451,520 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
PRC - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
PRC - [2009/10/27 09:15:44 | 000,132,608 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/09/30 18:52:03 | 000,058,744 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\quhlpsvc.exe
PRC - [2009/09/30 18:52:02 | 000,214,392 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\onlinent.exe
PRC - [2009/09/30 18:43:11 | 000,095,608 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\UPSCHD.EXE
PRC - [2009/09/30 18:43:10 | 000,111,992 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\SCANMSG.EXE
PRC - [2009/09/30 18:43:09 | 000,017,272 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\OPSSVC.EXE
PRC - [2009/09/30 18:43:08 | 000,267,640 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROUI.EXE
PRC - [2009/09/30 18:43:08 | 000,050,552 | ---- | M] (Quick Heal Technologies (P) Ltd.) -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROXY.EXE
PRC - [2009/06/26 12:58:28 | 002,292,672 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
PRC - [2009/02/16 09:44:56 | 001,358,384 | ---- | M] (Linksys, LLC) -- C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/10/14 21:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/05/19 19:50:14 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/06/28 09:48:05 | 002,554,648 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/06/28 09:48:04 | 000,404,248 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchk.exe
PRC - [2007/06/28 09:48:04 | 000,183,064 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/06/28 09:48:03 | 000,109,336 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/05/15 15:55:46 | 001,628,208 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/05/15 15:55:46 | 001,550,896 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2005/10/25 22:48:30 | 000,988,565 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
PRC - [2005/10/25 22:48:30 | 000,172,032 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2005/10/25 22:48:30 | 000,118,784 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2005/07/23 08:55:06 | 000,049,152 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
PRC - [2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/05 19:49:25 | 000,561,664 | ---- | M] (OldTimer Tools) -- I:\Virus Alert\OTL.exe
MOD - [2008/09/25 18:14:37 | 000,117,696 | ---- | M] (SlySoft, Inc.) -- C:\Program Files\SlySoft\AnyDVD\ADvdDiscHlp.dll
MOD - [2004/08/04 00:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/15 21:45:49 | 000,134,488 | ---- | M] (Quick Heal Technologies (P) Ltd.) [Auto | Running] -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\scanwscs.exe -- (ScanWscS)
SRV - [2009/10/27 09:26:36 | 000,657,408 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/09/30 18:52:03 | 000,058,744 | ---- | M] (Quick Heal Technologies (P) Ltd.) [Auto | Running] -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\quhlpsvc.exe -- (Quick Update Service)
SRV - [2009/09/30 18:43:09 | 000,017,272 | ---- | M] (Quick Heal Technologies (P) Ltd.) [Auto | Running] -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\OPSSVC.EXE -- (Online Protection System)
SRV - [2009/09/30 18:43:08 | 000,050,552 | ---- | M] (Quick Heal Technologies (P) Ltd.) [Auto | Running] -- C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROXY.EXE -- (Quick Heal Antivirus Plus Mail Protection)
SRV - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/05/19 19:50:14 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/28 09:48:05 | 002,554,648 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS) Intel®
SRV - [2007/06/28 09:48:04 | 000,183,064 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv) Intel®
SRV - [2007/06/28 09:48:03 | 000,109,336 | R--- | M] (Intel) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®
SRV - [2007/05/15 15:55:46 | 001,550,896 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2005/10/25 22:48:30 | 000,172,032 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.c...mp;ltmplcache=2
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.gmail.com/"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.7
FF - prefs.js..extensions.enabledItems: {1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}:0.6.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {53A03D43-5363-4669-8190-99061B2DEBA5}:1.3.7
FF - prefs.js..extensions.enabledItems: {EF522540-89F5-46b9-B6FE-1829E2B572C6}:4.2
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.63
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 16:50:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 16:50:35 | 000,000,000 | ---D | M]

[2009/06/26 13:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\Mozilla\Extensions
[2010/05/22 17:58:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions
[2009/09/18 16:08:07 | 000,000,000 | ---D | M] (Googlepedia) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{1ABADB6E-DC4B-11DA-9F70-791A9CD9513E}
[2010/05/05 16:43:40 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/10/16 12:09:04 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/03/31 01:03:09 | 000,000,000 | ---D | M] (ScrapBook) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
[2010/02/14 18:10:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/01/29 18:15:07 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/03/31 01:03:24 | 000,000,000 | ---D | M] (SearchPreview) -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
[2010/02/26 13:18:18 | 000,002,426 | ---- | M] () -- C:\Documents and Settings\test\Application Data\Mozilla\Firefox\Profiles\63gyda27.default\searchplugins\askcom.xml
[2010/05/22 17:58:44 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/19 19:20:03 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/19 19:58:05 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}

O1 HOSTS File: ([2001/08/23 17:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [atchk] C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)
O4 - HKLM..\Run: [Email Protection] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROUI.EXE (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [Linksys Wireless Manager] C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe (Linksys, LLC)
O4 - HKLM..\Run: [Messenger] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\SCANMSG.EXE (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [On-Line Protection] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\cateye.exe (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [ResumeQuickupDownload] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\ACAPPAA.EXE (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKLM..\Run: [Startup Scan] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\SENSOR.EXE (Quick Heal Technologies (P) Ltd.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [Update Scheduler] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\UPSCHD.EXE (Quick Heal Technologies (P) Ltd.)
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (SlySoft, Inc.)
O4 - HKCU..\Run: [BitTorrent] C:\Program Files\BitTorrent\bittorrent.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - HKLM..\RunOnce: [Startup Scan] C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\SENSOR.EXE (Quick Heal Technologies (P) Ltd.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/04 15:44:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3bb13abb-ddbf-11de-b933-001cc0073beb}\Shell\AutoRun\command - "" = G:\WDSetup.exe -- File not found
O33 - MountPoints2\{8593cf7e-16e6-11df-b968-001cc0073beb}\Shell\AutoRun\command - "" = G:\ALKOHOLU\\zdravooo.exe -- File not found
O33 - MountPoints2\{8593cf7e-16e6-11df-b968-001cc0073beb}\Shell\explore\command - "" = G:\ALKOHOLU\\zdravooo.exe -- File not found
O33 - MountPoints2\{8593cf7e-16e6-11df-b968-001cc0073beb}\Shell\open\command - "" = G:\ALKOHOLU\\zdravooo.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/19 21:58:39 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16620634377289728)

========== Files/Folders - Created Within 14 Days ==========

[2010/05/23 10:28:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/23 10:28:15 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/23 10:26:08 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/20 01:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Desktop\fyfmag
[2010/05/17 06:32:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\Recent
[2010/05/15 15:56:20 | 000,000,000 | ---D | C] -- C:\Program Files\Linksys
[2010/05/15 15:55:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Pure Networks Shared
[2010/05/15 15:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2010/05/15 15:54:57 | 000,627,072 | ---- | C] (Ralink Technology, Corp.) -- C:\WINDOWS\System32\drivers\WUSB54GCv3.sys
[2010/05/15 15:54:57 | 000,221,184 | ---- | C] (Ralink Technology, Inc.) -- C:\WINDOWS\System32\RaCoInst.dll
[2010/05/13 21:33:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple
[2010/05/11 18:34:32 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\test\IECompatCache
[2010/05/10 09:05:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Control Panels
[2010/03/25 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/11/11 21:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/11/11 21:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/05/19 16:51:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/05/19 16:48:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/19 16:48:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/05/23 11:45:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5C669C7B-97F4-4DB4-B125-70C4EEAA57E7}.job
[2010/05/23 11:30:21 | 000,000,031 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/05/23 11:29:47 | 000,088,723 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/23 11:28:56 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/23 11:28:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/23 10:48:28 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\test\NTUSER.DAT
[2010/05/23 10:48:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\test\ntuser.ini
[2010/05/23 10:40:45 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/23 10:28:18 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 10:26:09 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\test\Desktop\NTREGOPT.lnk
[2010/05/23 10:26:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\test\Desktop\ERUNT.lnk
[2010/05/23 09:12:25 | 000,216,064 | ---- | M] () -- C:\Documents and Settings\test\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/21 12:50:53 | 047,093,771 | ---- | M] () -- C:\Documents and Settings\test\Desktop\2FI New Highgate Menu Final Print File may21.pdf
[2010/05/21 12:49:36 | 000,002,568 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/05/21 11:17:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/16 20:39:54 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\test\Desktop\FYF - Dubai Brand Book Content.doc
[2010/05/15 15:56:29 | 000,360,124 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/15 15:56:29 | 000,314,838 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/15 15:56:29 | 000,041,040 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/13 21:33:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/12 20:07:05 | 002,089,352 | ---- | M] () -- C:\Documents and Settings\test\Desktop\The Competitiveness Review - Islamic Finance - 2010 Update vF.docx
[2010/05/12 05:44:05 | 003,459,856 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/10 20:01:46 | 000,001,277 | ---- | M] () -- C:\Documents and Settings\test\Desktop\ROMELL-GROUP-nav-links-bg-bar.png

========== Files Created - No Company Name ==========

[2010/05/23 10:28:18 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 10:26:09 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\test\Desktop\NTREGOPT.lnk
[2010/05/23 10:26:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\test\Desktop\ERUNT.lnk
[2010/05/21 12:50:25 | 047,093,771 | ---- | C] () -- C:\Documents and Settings\test\Desktop\2FI New Highgate Menu Final Print File may21.pdf
[2010/05/16 14:17:26 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\test\Desktop\FYF - Dubai Brand Book Content.doc
[2010/05/15 15:54:57 | 000,015,312 | ---- | C] () -- C:\WINDOWS\System32\RaCoInst.dat
[2010/05/12 20:05:55 | 002,089,352 | ---- | C] () -- C:\Documents and Settings\test\Desktop\The Competitiveness Review - Islamic Finance - 2010 Update vF.docx
[2010/05/10 20:01:46 | 000,001,277 | ---- | C] () -- C:\Documents and Settings\test\Desktop\ROMELL-GROUP-nav-links-bg-bar.png
[2010/03/22 14:24:18 | 000,007,214 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2010/03/22 14:23:55 | 000,000,484 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/09/30 18:43:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\sensor.INI
[2009/09/30 18:42:26 | 000,000,052 | ---- | C] () -- C:\WINDOWS\QH32.INI
[2009/07/01 20:05:30 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/06/26 12:56:30 | 000,000,031 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/06/26 12:52:55 | 000,002,568 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/06/26 12:52:55 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\F88C62E3AF.sys
[2009/06/25 17:02:23 | 000,216,064 | ---- | C] () -- C:\Documents and Settings\test\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/19 19:56:22 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/05/19 18:52:07 | 000,204,800 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll
[2008/05/19 16:52:12 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\test\ntuser.ini
[2008/05/19 16:52:11 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\test\ntuser.dat.LOG
[2008/05/19 16:52:10 | 008,126,464 | -H-- | C] () -- C:\Documents and Settings\test\NTUSER.DAT
[2007/04/19 10:56:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/19 10:56:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/19 10:56:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/19 10:56:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/19 10:56:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/19 10:56:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/19 10:56:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/05/25 04:17:11 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/04/19 05:34:53 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2004/07/17 11:36:38 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2008/05/19 20:08:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2010/01/05 12:40:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/04/02 10:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/06/09 14:50:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MicroWorld
[2010/04/02 10:03:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2009/06/26 12:56:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2009/06/26 15:31:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\Bitstream
[2010/05/23 11:49:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\BitTorrent
[2010/02/01 20:42:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\Facebook
[2010/04/02 10:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\Nokia
[2010/04/02 10:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\test\Application Data\PC Suite
[2010/05/23 11:45:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5C669C7B-97F4-4DB4-B125-70C4EEAA57E7}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/05/19 22:06:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/05/19 22:06:49 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/05/19 22:06:49 | 000,921,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


Extras.txt

OTL Extras logfile created on: 5/23/2010 11:56:23 AM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = I:\Virus Alert
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 68.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 58.82 Gb Free Space | 60.23% Space Free | Partition Type: NTFS
Drive D: | 100.00 Gb Total Space | 25.84 Gb Free Space | 25.84% Space Free | Partition Type: NTFS
Drive E: | 100.43 Gb Total Space | 5.17 Gb Free Space | 5.15% Space Free | Partition Type: NTFS
Drive F: | 3.76 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive G: | 31.74 Gb Total Space | 13.82 Gb Free Space | 43.56% Space Free | Partition Type: NTFS
Drive H: | 97.65 Gb Total Space | 39.31 Gb Free Space | 40.26% Space Free | Partition Type: NTFS
Drive I: | 103.48 Gb Total Space | 34.42 Gb Free Space | 33.26% Space Free | Partition Type: NTFS

Computer Name: ANDDESIGN2
Current User Name: test
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server
"6381:TCP" = 6381:TCP:*:Enabled:zdsnyxj

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\PeerWeb DC++\PeerWeb DC++.exe" = C:\Program Files\PeerWeb DC++\PeerWeb DC++.exe:*:Enabled:Peerweb DC++ -- (PeerWeb DC Development Team)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{09E2111C-16B1-4DDF-BF0D-F994C9A12350}" = Adobe Setup
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54F6C98F-94A0-421C-B90E-0B6A2A96A9CF}" = Pure Networks Platform
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6869591A-7DD8-46D2-837F-57CBF7358955}" = Nokia Connectivity Cable Driver
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}" = Nokia PC Suite
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9B4E6CB9-E54D-47F7-A414-E2D5740E1033}" = Nero 7 Essentials
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{ABD1DC2F-0D20-4C44-BEB9-3EEFA0EA1033}" = SecurDisc Viewer
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications ® Core - English
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B7F560B3-6EFF-4026-A982-843895A41149}" = Adobe BridgeTalk Plugin CS3
"{B81023A5-71ED-46EB-BE3B-9F974D1155F1}" = HP Software Update
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CA83357B-931E-44DC-AD43-9996FEEB8116}" = Acronis True Image
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}" = Adobe Creative Suite 3 Design Premium
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications ® Core
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F901CA6D-A074-42D3-A11D-33AAE6FFD0C1}" = HP Deskjet 3740
"05B59228C7E1C21DFBE89260F879BD95880548D8" = Windows Driver Package - Nokia Modem (10/05/2009 4.2)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"8CDCFB95BB84DD9C0F88F22266A0CA86035E55BA" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.3 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_c14ac4070fd9614ffe63f4bb533db2c" = Add or Remove Adobe Creative Suite 3 Design Premium
"AnyDVD" = AnyDVD
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"HECI" = Intel® Management Engine Interface
"ie8" = Windows Internet Explorer 8
"iolo technologies' System Mechanic" = iolo technologies' System Mechanic
"Linksys Wireless Manager" = Linksys Wireless Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.0
"MESOL" = Intel® Active Management Technology Device Software
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"PeerWeb DC++" = PeerWeb DC++ 0.41
"Picasa 3" = Picasa 3
"Quick Heal AntiVirus Plus" = Quick Heal AntiVirus Plus
"VLC media player" = VLC media player 1.0.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/29/2010 3:57:39 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/29/2010 7:00:43 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/29/2010 8:41:06 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/29/2010 9:37:06 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/29/2010 10:34:14 PM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/30/2010 2:04:42 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/30/2010 8:18:25 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/30/2010 4:35:11 PM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/30/2010 10:45:26 PM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 3/31/2010 10:23:39 AM | Computer Name = ANDDESIGN2 | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

[ System Events ]
Error - 5/22/2010 11:45:24 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The Cyberlink RichVideo Service(CRVS) service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/22/2010 11:45:24 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The Quick Heal Helper Service WSC service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/22/2010 11:45:24 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The Intel® Active Management Technology User Notification Service
service terminated unexpectedly. It has done this 1 time(s).

Error - 5/22/2010 11:45:24 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The Pure Networks Platform Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 5/22/2010 11:45:26 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The FLEXnet Licensing Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 5/22/2010 11:45:26 PM | Computer Name = ANDDESIGN2 | Source = Service Control Manager | ID = 7034
Description = The ServiceLayer service terminated unexpectedly. It has done this
1 time(s).

Error - 5/23/2010 12:53:49 AM | Computer Name = ANDDESIGN2 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 5/23/2010 12:57:37 AM | Computer Name = ANDDESIGN2 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 5/23/2010 1:59:45 AM | Computer Name = ANDDESIGN2 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service BITS with arguments
"" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}

Error - 5/23/2010 2:04:28 AM | Computer Name = ANDDESIGN2 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}


< End of report >



Let me know if there's anythingelse I need to be doing to help you help me! :)
  • 0

Advertisements

#2
RKinner
Posted 27 May 2010 - 04:46 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
The things that Quick Heal is complaining about are .gifs (normally these are just pictures) you are picking up from the Internet. Assuming Quick Heal knows what it is talking about (and that these are not just false positives) some site you visit regularly is infected. They don't seem to be hurting anything thanks to Quick Heal. Apparently infected .gif files are becoming an important vector for malware:
http://blog.threatfi...ed-malware.html

More important though are these two lines:

O33 - MountPoints2\{8593cf7e-16e6-11df-b968-001cc0073beb}\Shell\AutoRun\command - "" = G:\ALKOHOLU\\zdravooo.exe -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"6381:TCP" = 6381:TCP:*:Enabled:zdsnyxj

The first appears to be this worm:
http://threatinfo.tr...r....AK&VSect=T

Not sure what G:\ is but it was infected at some time.

The second is opening your firewall on port 6381 for a randomly named process which could be anything.


Let's run Combofix and see if it finds anything.

Download as follows:
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download, SAVE and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Ron

Edited by RKinner, 27 May 2010 - 04:48 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP