Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Explorer.Exe - Bad image [Solved]


  • This topic is locked This topic is locked

#1
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
I have a windows xp and yesterday when I was using the internet all of the sudden warning messages started to pop up saying that my computer is infected with a virus and all of the sudden an antivirus started to download even though I pressed cancel more than ten times, so I bought the Norton Antivirus online and install it and it clean the computer but now whenever I start the computer this message appears:

Explorer.Exe-Bad image
The application or DLL globalroot\systemroot\PRAGMAvstypyrivf\pragmaserf.dll is not a valid windows image. Please check this against your installation diskette.

and when I open Internet Explorer the same message appears but instead of "Explorer.Exe-Bad image" it says "iexplorer.exe-Bad image

and also I can't open itunes and a little window appears saying that the application is not found and when I try to open limewire or Windows Live Messenger the window of "Open With" shows up telling me to choose the program I want to use to open the file and that never happened before it all started yesterday and the only way I can open Limewire and Windows Live is by right clicking the mouse and pressing start.

Pleasy can anyone help me with this problem? Thanks
  • 0

Advertisement


#2
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
Hello,

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message on here. :)
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________


OTL Custom Scan
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /180
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
  • You may need two posts to fit them both in.


NEXT:



Scanning with GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The logs that were produced after running the OTL scans. (OTL.txt & Extras.txt)
3. The log that was produced after running GMER
4. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
  • 0

#3
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
1. No questions yet :)


2.This are the logs that were produced after running the OTL scans:

OTL logfile created on: 6/11/2010 10:40:01 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 423.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 38.69 Gb Free Space | 51.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POLLITA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation)
PRC - C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (MyWebSearchService) -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (MyWebSearch.com)
SRV - (NAV) -- C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe (Symantec Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100611.021\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100611.021\NAVENG.SYS (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\NAV\1107000.00C\Ironx86.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMEFA.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\NAV\1107000.00C\SRTSPX.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SRTSP.SYS (Symantec Corporation)
DRV - (ccHP) -- C:\WINDOWS\system32\drivers\NAV\1107000.00C\ccHPx86.sys (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SYMTDI.SYS (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\NAV\1107000.00C\SYMDS.SYS (Symantec Corporation)
DRV - (ViPrt) -- C:\WINDOWS\system32\DRIVERS\ViPrt.sys (VIA Technologies, Inc.)
DRV - (ViBus) -- C:\WINDOWS\system32\DRIVERS\ViBus.sys (VIA Technologies, Inc.)
DRV - (videX32) -- C:\WINDOWS\system32\DRIVERS\videX32.sys (VIA Technologies, Inc.)
DRV - (BS_Flash) -- C:\Program Files\BIOS\BIOS Flash\BS_Flash.sys ()
DRV - (RT73) -- C:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (BS_I2cIo) -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys (BIOSTAR Group)
DRV - (W8335XP) 802.11g/b Driver for Windows XP (8335) -- C:\WINDOWS\system32\drivers\Mrvw125.sys (Marvell Semiconductor, Inc)
DRV - (zntport) -- C:\WINDOWS\System32\drivers\zntport.sys (Zeal SoftStudio)
DRV - (BIOS) -- C:\WINDOWS\system32\drivers\BIOS.sys (BIOSTAR Group)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A4 94 9F 18 C9 C4 CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5E C3 7B 00 FD 06 87 4B BF E1 22 A2 79 06 B6 74 [binary data]
IE - HKCU\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\Hotbar@Hotbar.com: C:\Program Files\Hotbar\bin\11.0.117.0\firefox\extensions
FF - HKLM\software\mozilla\Firefox\extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2010/03/12 00:00:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\ [2010/06/10 23:38:28 | 000,000,000 | ---D | M]

[2010/02/22 18:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/22 18:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/04/20 17:44:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/20 17:44:01 | 000,000,000 | ---D | M] (Adobe Flash Plugin) -- C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

O1 HOSTS File: ([2010/03/26 16:16:57 | 000,002,799 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.212.177.251 www.google.com
O1 - Hosts: 67.212.177.251 google.com
O1 - Hosts: 67.212.177.251 google.com.au
O1 - Hosts: 67.212.177.251 www.google.com.au
O1 - Hosts: 67.212.177.251 google.be
O1 - Hosts: 67.212.177.251 www.google.be
O1 - Hosts: 67.212.177.251 google.com.br
O1 - Hosts: 67.212.177.251 www.google.com.br
O1 - Hosts: 67.212.177.251 google.ca
O1 - Hosts: 38 more lines...
O2 - BHO: (no name) - {007BC35E-06FD-4B87-BFE1-22A27906B674} - C:\WINDOWS\system32\csseqchk323232.dll ()
O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (QualitySuperBrandingSystem) - {AD607139-04A5-30EA-7468-A3B9DE31E8EB} - C:\Program Files\QualitySuperBrandingSystem\QualitySuperBrandingSystem.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (MyWebSearch.com)
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (MyWebSearch.com)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [CleanUp Antivirus] File not found
O4 - HKCU..\Run: [MyWebSearch Email Plugin] C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (MyWebSearch.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...etup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-3117440764-5918610976-690569324-0429\msimfo32.exe) - C:\RECYCLER\S-1-5-21-3117440764-5918610976-690569324-0429\msimfo32.exe File not found
O20 - Winlogon\Notify\141e2683879: DllName - C:\WINDOWS\System32\ieakui32.dll - C:\WINDOWS\System32\ieakui32.dll File not found
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\My Documents\My Pictures\angel.bmp
O27 - HKLM IFEO\mrt.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msfwsvc.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\MsMpEng.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\msseces.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\OcHealthMon.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\winss.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\winssnotify.exe: Debugger - svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\WinSSUI.exe: Debugger - svchost.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/02 15:44:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe
O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\AutoRun\command - "" = F:\BOOTEX\thumbcache_131.exe -- File not found
O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\explore\command - "" = F:\
O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\open\command - "" = F:\.\\BOOTEX\thumbcache_131.exe -- File not found
O33 - MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\Shell\AutoRun\command - "" = E:\3c.exe -- File not found
O33 - MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\Shell\open\Command - "" = E:\3c.exe -- File not found
O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell - "" = AutoRun
O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell - "" = AutoRun
O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = secfile] -- "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mscdexnt.exe" /START "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/07/02 15:43:45 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Error starting restore point: 317
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2010/06/11 22:37:58 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/11 21:21:58 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symtdi.sys
[2010/06/11 21:21:58 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symtdiv.sys
[2010/06/11 21:21:57 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\cchpx86.sys
[2010/06/11 21:21:57 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symds.sys
[2010/06/11 21:21:57 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.sys
[2010/06/11 21:21:57 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symefa.sys
[2010/06/11 21:21:57 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\ironx86.sys
[2010/06/11 21:21:57 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtspx.sys
[2010/06/11 21:21:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1107000.00C
[2010/06/10 23:16:28 | 000,000,000 | ---D | C] -- C:\Program Files\GEAR Software
[2010/06/10 23:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{C3243856-7746-4A05-8837-51A28C1CDD82}
[2010/06/10 22:57:27 | 306,708,552 | ---- | C] (Nero AG) -- C:\Documents and Settings\Administrator\Desktop\Nero-10.0.13100_trial.exe
[2010/06/10 22:32:59 | 001,925,536 | ---- | C] (GEAR Software, Inc. ) -- C:\Documents and Settings\Administrator\Desktop\GEARISOBurn.exe
[2010/06/10 21:04:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/06/10 20:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Tific
[2010/06/10 20:56:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec
[2010/06/10 20:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Symantec
[2010/06/10 20:35:41 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/10 20:35:41 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/10 20:35:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/06/10 20:35:40 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/06/10 20:34:42 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\cchpx86.sys
[2010/06/10 20:34:42 | 000,362,032 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\symtdi.sys
[2010/06/10 20:34:42 | 000,340,016 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\symtdiv.sys
[2010/06/10 20:34:42 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymDS.sys
[2010/06/10 20:34:42 | 000,325,680 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.sys
[2010/06/10 20:34:42 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymEFA.sys
[2010/06/10 20:34:42 | 000,116,784 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Ironx86.sys
[2010/06/10 20:34:42 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.sys
[2010/06/10 20:34:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/06/10 20:34:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1106000.020
[2010/06/10 20:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/06/10 20:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/06/10 20:07:09 | 000,000,000 | ---D | C] -- C:\Program Files\Protection Center
[2010/06/10 19:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/10 19:38:11 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 19:38:11 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 19:38:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 19:38:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 19:38:11 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/10 14:01:23 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/05 13:57:50 | 000,309,248 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\fontsub32.dll
[2010/06/05 01:58:23 | 000,309,248 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dpwsock32.dll
[2010/06/04 20:22:51 | 000,309,248 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dot3msm32.dll
[2010/06/02 15:33:45 | 000,309,248 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dpnmodem32.dll
[2010/05/31 12:10:12 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\cnetcfg32.dll
[2010/05/31 00:41:19 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dmband3232.dll
[2010/05/30 23:41:15 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\difxapi32.dll
[2010/05/30 18:13:38 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dfrgui32.dll
[2010/05/30 17:13:33 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\dciman3232.dll
[2010/05/30 16:13:34 | 000,311,808 | ---- | C] (AIMP DevTeam) -- C:\WINDOWS\System32\ddrawex32.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]
[12 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[106 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/11 22:38:00 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/11 22:16:32 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E4EE61A1-EC13-4D5D-8D3C-B233899A0356}.job
[2010/06/11 22:02:22 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/11 21:10:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/11 21:10:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/11 21:09:28 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/11 21:09:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/10 23:42:39 | 000,854,064 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Norton_Removal_Tool.exe
[2010/06/10 23:17:54 | 001,925,536 | ---- | M] (GEAR Software, Inc. ) -- C:\Documents and Settings\Administrator\Desktop\GEARISOBurn.exe
[2010/06/10 23:17:17 | 000,002,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GEAR ISO Burn.lnk
[2010/06/10 22:58:00 | 306,708,552 | ---- | M] (Nero AG) -- C:\Documents and Settings\Administrator\Desktop\Nero-10.0.13100_trial.exe
[2010/06/10 22:21:24 | 307,724,288 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\recovery_nav_x86.iso
[2010/06/10 21:23:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/10 21:07:51 | 000,003,769 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\0200000087eced3c879P.manifest
[2010/06/10 21:07:30 | 000,321,024 | ---- | M] () -- C:\WINDOWS\System32\csseqchk323232.dll
[2010/06/10 21:06:31 | 000,000,136 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\0200000087eced3c879O.manifest
[2010/06/10 21:06:31 | 000,000,051 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\0200000087eced3c879C.manifest
[2010/06/10 21:06:31 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\0200000087eced3c879S.manifest
[2010/06/10 21:03:26 | 000,321,024 | ---- | M] () -- C:\WINDOWS\System32\comuid32.dll
[2010/06/10 20:41:37 | 000,618,322 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Cat.DB
[2010/06/10 20:35:40 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/10 20:35:40 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/10 20:35:40 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/10 20:35:40 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/10 20:34:47 | 000,001,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/06/10 20:34:17 | 000,000,755 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Norton Installation Files.lnk
[2010/06/10 20:05:59 | 000,000,141 | ---- | M] () -- C:\WINDOWS\System32\449e2184
[2010/06/10 19:37:59 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 19:37:59 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 19:37:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 19:37:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 19:37:59 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/10 18:04:04 | 010,584,058 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\river.wav
[2010/06/10 17:51:13 | 009,515,074 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\no mames.wav
[2010/06/10 16:00:50 | 000,321,024 | ---- | M] () -- C:\WINDOWS\System32\deskperf32.dll
[2010/06/10 15:59:58 | 000,098,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 15:12:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 15:10:30 | 000,488,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 15:10:30 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 15:10:30 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 19:42:34 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\dpcdll32.dll
[2010/06/09 19:41:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/08 13:31:38 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\dnsapi3232.dll
[2010/06/08 01:12:40 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\dfrgui3232.dll
[2010/06/07 23:48:49 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\eappgnui3232.dll
[2010/06/07 18:01:05 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\bitsprx332.dll
[2010/06/07 11:44:53 | 000,304,640 | ---- | M] () -- C:\WINDOWS\System32\eapphost32.dll
[2010/06/05 13:57:50 | 000,309,248 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\fontsub32.dll
[2010/06/05 01:58:23 | 000,309,248 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dpwsock32.dll
[2010/06/04 20:22:51 | 000,309,248 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dot3msm32.dll
[2010/06/02 15:33:45 | 000,309,248 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dpnmodem32.dll
[2010/05/31 12:10:12 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\cnetcfg32.dll
[2010/05/31 00:41:19 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dmband3232.dll
[2010/05/30 23:41:15 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\difxapi32.dll
[2010/05/30 18:13:38 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dfrgui32.dll
[2010/05/30 17:13:33 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\dciman3232.dll
[2010/05/30 16:13:34 | 000,311,808 | ---- | M] (AIMP DevTeam) -- C:\WINDOWS\System32\ddrawex32.dll
[2010/05/27 17:59:30 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/17 12:58:59 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\ipnathlp32.dll
[2010/05/17 11:58:55 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\inetpp32.dll
[2010/05/17 10:58:54 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\inetcplc32.dll
[2010/05/16 23:10:14 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\comrepl32.dll
[2010/05/16 22:39:56 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\hsfcisp232.dll
[2010/05/15 19:46:49 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\htui32.dll
[2010/05/14 22:30:15 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\dgrpsetu32.dll
[2010/05/14 01:36:08 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\isolate.ini
[2010/05/14 01:19:14 | 000,283,648 | ---- | M] () -- C:\WINDOWS\System32\ctl3dv232.dll
[2010/05/14 00:19:13 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\csseqchk32.dll
[2010/05/13 23:19:12 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\cscdll32.dll
[2010/05/13 22:19:10 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\cryptext3232.dll
[2010/05/13 21:19:09 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\cryptdll32.dll
[2010/05/13 20:19:07 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\corpol32.dll
[2010/05/13 01:42:57 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\icfgnt532.dll
[2010/05/13 00:42:56 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\icardres32.dll
[2010/05/12 23:42:53 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\iasnap32.dll
[2010/05/12 22:42:52 | 000,284,160 | ---- | M] () -- C:\WINDOWS\System32\iasads32.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[2 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]
[12 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[106 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/11 21:21:57 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symefa.cat
[2010/06/11 21:21:57 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnetv.cat
[2010/06/11 21:21:57 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtspx.cat
[2010/06/11 21:21:57 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.cat
[2010/06/11 21:21:57 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\iron.cat
[2010/06/11 21:21:57 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symds.cat
[2010/06/11 21:21:57 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\cchpx86.cat
[2010/06/11 21:21:57 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnet.cat
[2010/06/11 21:21:57 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symefa.inf
[2010/06/11 21:21:57 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symds.inf
[2010/06/11 21:21:57 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\cchpx86.inf
[2010/06/11 21:21:57 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnetv.inf
[2010/06/11 21:21:57 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnet.inf
[2010/06/11 21:21:57 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtspx.inf
[2010/06/11 21:21:57 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.inf
[2010/06/11 21:21:57 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\iron.inf
[2010/06/11 21:21:46 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\isolate.ini
[2010/06/10 23:16:29 | 000,002,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GEAR ISO Burn.lnk
[2010/06/10 22:20:14 | 307,724,288 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\recovery_nav_x86.iso
[2010/06/10 21:15:58 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/10 21:07:30 | 000,321,024 | ---- | C] () -- C:\WINDOWS\System32\csseqchk323232.dll
[2010/06/10 21:03:26 | 000,321,024 | ---- | C] () -- C:\WINDOWS\System32\comuid32.dll
[2010/06/10 20:41:21 | 000,618,322 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Cat.DB
[2010/06/10 20:35:41 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/10 20:35:41 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/10 20:34:47 | 000,001,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/06/10 20:34:37 | 000,003,374 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymEFA.inf
[2010/06/10 20:34:37 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymDS.inf
[2010/06/10 20:34:37 | 000,001,754 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\ccHPx86.inf
[2010/06/10 20:34:37 | 000,001,473 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymNetV.inf
[2010/06/10 20:34:37 | 000,001,445 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymNet.inf
[2010/06/10 20:34:37 | 000,001,388 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.inf
[2010/06/10 20:34:37 | 000,001,382 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.inf
[2010/06/10 20:34:37 | 000,000,741 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Iron.inf
[2010/06/10 20:34:36 | 000,007,787 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\symnetv.cat
[2010/06/10 20:34:36 | 000,007,444 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymEFA.cat
[2010/06/10 20:34:36 | 000,007,442 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.cat
[2010/06/10 20:34:36 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.cat
[2010/06/10 20:34:36 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\iron.cat
[2010/06/10 20:34:36 | 000,007,425 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymDS.cat
[2010/06/10 20:34:36 | 000,007,396 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\cchpx86.cat
[2010/06/10 20:34:36 | 000,007,368 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\SymNet.cat
[2010/06/10 20:34:36 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\isolate.ini
[2010/06/10 18:04:04 | 010,584,058 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\river.wav
[2010/06/10 17:51:12 | 009,515,074 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\no mames.wav
[2010/06/10 16:00:50 | 000,321,024 | ---- | C] () -- C:\WINDOWS\System32\deskperf32.dll
[2010/06/09 19:42:34 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\dpcdll32.dll
[2010/06/08 13:31:38 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\dnsapi3232.dll
[2010/06/08 01:12:40 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\dfrgui3232.dll
[2010/06/07 23:48:49 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\eappgnui3232.dll
[2010/06/07 18:01:05 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\bitsprx332.dll
[2010/06/07 11:44:53 | 000,304,640 | ---- | C] () -- C:\WINDOWS\System32\eapphost32.dll
[2010/05/18 23:34:42 | 000,000,141 | ---- | C] () -- C:\WINDOWS\System32\449e2184
[2010/05/17 12:58:59 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\ipnathlp32.dll
[2010/05/17 11:58:55 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\inetpp32.dll
[2010/05/17 10:58:54 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\inetcplc32.dll
[2010/05/16 23:10:14 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\comrepl32.dll
[2010/05/16 22:39:55 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\hsfcisp232.dll
[2010/05/15 19:46:49 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\htui32.dll
[2010/05/14 22:30:15 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\dgrpsetu32.dll
[2010/05/14 01:19:14 | 000,283,648 | ---- | C] () -- C:\WINDOWS\System32\ctl3dv232.dll
[2010/05/14 00:19:13 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\csseqchk32.dll
[2010/05/13 23:19:12 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\cscdll32.dll
[2010/05/13 22:19:10 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\cryptext3232.dll
[2010/05/13 21:19:09 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\cryptdll32.dll
[2010/05/13 20:19:07 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\corpol32.dll
[2010/05/13 01:42:57 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\icfgnt532.dll
[2010/05/13 00:42:56 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\icardres32.dll
[2010/05/12 23:42:53 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\iasnap32.dll
[2010/05/12 22:42:52 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\iasads32.dll
[2010/05/12 21:42:51 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\hypertrm32.dll
[2010/05/12 20:42:48 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\hlink32.dll
[2010/05/12 19:42:47 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\hhsetup32.dll
[2010/05/12 18:42:45 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\gpkcsp32.dll
[2010/05/12 17:42:43 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\GEARAspi32.dll
[2010/05/12 16:59:51 | 000,284,160 | ---- | C] () -- C:\WINDOWS\System32\ipmontr32.dll
[2010/04/20 17:52:31 | 000,003,580 | ---- | C] () -- C:\WINDOWS\GnuHashes.ini
[2010/04/20 17:43:55 | 000,240,128 | ---- | C] () -- C:\WINDOWS\System32\iernonce32.dll
[2009/07/14 23:45:12 | 000,003,604 | ---- | C] () -- C:\WINDOWS\System32\drivers\BS_Flash.sys
[2008/07/02 15:54:49 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/07/02 15:53:17 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2008/07/02 15:51:23 | 000,046,080 | R--- | C] () -- C:\WINDOWS\System32\itevio.dll

========== LOP Check ==========

[2010/03/26 01:11:13 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Application Data\CleanUp Antivirus
[2010/06/11 22:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\LimeWire
[2010/06/10 13:51:55 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Administrator\Application Data\SystemProc
[2010/06/10 20:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Tific
[2010/03/26 16:26:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\72de44a
[2010/03/17 19:44:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3 YPack Trial
[2010/03/26 01:10:01 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\CUEWLAPA
[2010/06/10 20:28:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/09/14 22:40:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/08/26 15:24:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/06/10 23:16:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{C3243856-7746-4A05-8837-51A28C1CDD82}
[2010/06/11 22:16:32 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{E4EE61A1-EC13-4D5D-8D3C-B233899A0356}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/07/02 15:55:17 | 000,001,300 | ---- | M] () -- C:\ALCSetup.log
[2008/07/02 15:44:17 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/07/02 15:50:39 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2008/07/02 15:44:17 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/02 15:44:17 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/02 15:44:17 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/07/02 15:55:17 | 000,000,189 | ---- | M] () -- C:\mylog.log
[2004/08/03 23:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/03/26 17:41:13 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/11 21:10:36 | 1509,949,440 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\user32.dll /md5 >
[2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll
[106 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[106 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[106 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/07/01 21:30:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/01 21:30:28 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/01 21:30:28 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /180 >
[2010/02/24 08:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2009/12/31 11:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/06/10 20:35:40 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
[2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
[2 C:\WINDOWS\system32\drivers\*.tmp files -> C:\WINDOWS\system32\drivers\*.tmp -> ]

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
< End of report >


2.This are the logs from the Extras.txt


OTL Extras logfile created on: 6/11/2010 10:40:01 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 423.00 Mb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 38.69 Gb Free Space | 51.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POLLITA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mscdexnt.exe File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UACDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Administrator\Local Settings\Temp\7zS61.tmp\SymNRT.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\7zS61.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\Administrator\Local Settings\Temp\7zS63.tmp\SymNRT.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\7zS63.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\All Users\Application Data\72de44a\CU72de.exe" = C:\Documents and Settings\All Users\Application Data\72de44a\CU72de.exe:*:Enabled:CleanUp Antivirus -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1EEAEAD7-95F3-489C-AB71-D188D530A951}" = Wireless USB Card
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{417E7710-C77B-4CB9-839A-D586A12C64E2}" = Smart Guardian
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{61F38EBC-FAFF-45D4-BD9A-97584A489EFB}" = GEAR ISO Burn
"{63415CB1-3C97-4D9C-980D-336710EB0526}" = Age of Empires III - The Asian Dynasties Trial
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{961034C0-58DF-11DF-97FD-005056806466}" = Google Earth Plug-in
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{B2F39A9D-608F-42B7-8170-F9B0C80A3245}" = Wireless PCI_CardBus utility V1.10
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FD1079-2CF1-461E-8418-E91CA6656B45}" = BIOS Flash
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EB4EAD4A-8A80-43A5-8B23-78A2F6B26298}" = WarpSpeeder
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Free Audio CD Burner_is1" = Free Audio CD Burner version 1.2
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{63415CB1-3C97-4D9C-980D-336710EB0526}" = Age of Empires III - The Asian Dynasties Trial
"LimeWire" = LimeWire 5.2.13
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyWebSearch bar Uninstall" = My Web Search (Webfetti)
"NAV" = Norton AntiVirus
"PlayMP3" = PlayMP3z
"QualitySuperBrandingSystem" = QualitySuperBrandingSystem
"Uninstall_is1" = Uninstall 1.0.0.1
"VIA/S3G UniChrome Family Win2K/XP/Server2003 Display" = VIA/S3G Display Driver 6.14.10.0364
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/4/2010 11:08:26 PM | Computer Name = POLLITA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/5/2010 12:04:54 AM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application asoelnch.exe, version 17.6.0.32, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 6/7/2010 7:19:28 PM | Computer Name = POLLITA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2010 2:45:21 PM | Computer Name = POLLITA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/10/2010 4:08:51 PM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application RegSvcs.exe, version 2.0.50727.3053, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 6/10/2010 4:11:01 PM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application RegSvcs.exe, version 2.0.50727.3053, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 6/10/2010 4:11:42 PM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application ServiceModelReg.exe, version 3.0.4506.2152, faulting
module kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 6/10/2010 7:49:57 PM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application asoelnch.exe, version 17.6.0.32, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 6/10/2010 9:11:48 PM | Computer Name = POLLITA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/10/2010 10:41:07 PM | Computer Name = POLLITA | Source = Application Error | ID = 1000
Description = Faulting application ccsvchst.exe, version 109.0.3.4, faulting module
unknown, version 0.0.0.0, fault address 0x00000002.

[ System Events ]
Error - 6/10/2010 9:35:32 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/10/2010 9:35:32 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2147500053

Error - 6/10/2010 10:04:00 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/10/2010 10:08:08 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/10/2010 10:33:07 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/10/2010 10:46:36 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/11/2010 12:03:22 AM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/11/2010 12:32:10 AM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/11/2010 9:58:40 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001

Error - 6/11/2010 10:12:03 PM | Computer Name = POLLITA | Source = Service Control Manager | ID = 7000
Description = The NTPort Library Driver service failed to start due to the following
error: %%2001


< End of report >
  • 0

#4
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
3.This is the log that was produced after running GMER



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-11 23:44:45
Windows 5.1.2600 Service Pack 3
Running: mo0j38m8.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgrdapob.sys


---- System - GMER 1.0.15 ----

Code 85F7A3A0 ZwEnumerateKey
Code 85F7EDC0 ZwFlushInstructionCache
Code 8603C096 IofCallDriver
Code 85F558A6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8603C09B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 85F558AB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEB8 5 Bytes JMP 85F7EDC4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 5 Bytes JMP 85F7A3A4
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\PRAGMAvstypyrivf\PRAGMAd.sys (*** hidden *** ) F562D000-F5652000 (151552 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\PRAGMAvstypyrivf\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAvstypyrivf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf@imagepath \systemroot\PRAGMAvstypyrivf\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf\modules@PRAGMAd \systemroot\PRAGMAvstypyrivf\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf\modules@PRAGMAc \systemroot\PRAGMAvstypyrivf\PRAGMAc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAvstypyrivf\modules@pragmabbr pragmabbr
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf@imagepath \systemroot\PRAGMAvstypyrivf\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf\modules@PRAGMAd \systemroot\PRAGMAvstypyrivf\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf\modules@PRAGMAc \systemroot\PRAGMAvstypyrivf\PRAGMAc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAvstypyrivf\modules@pragmabbr pragmabbr

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Temp\PRAGMAae6.tmp 343040 bytes executable
File C:\Documents and Settings\Administrator\Local Settings\Temp\pragmamainqt.dll 10354 bytes
File C:\Documents and Settings\Administrator\Local Settings\Temp\pragmapdconf.ini 35 bytes
File C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll 1173 bytes
File C:\WINDOWS\PRAGMAvstypyrivf 0 bytes
File C:\WINDOWS\PRAGMAvstypyrivf\pragmabbr.dll 0 bytes
File C:\WINDOWS\PRAGMAvstypyrivf\PRAGMAc.dll 34816 bytes executable
File C:\WINDOWS\PRAGMAvstypyrivf\PRAGMAcfg.ini 255 bytes
File C:\WINDOWS\PRAGMAvstypyrivf\PRAGMAd.sys 52736 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\PRAGMAvstypyrivf\pragmaserf.dll 0 bytes
File C:\WINDOWS\PRAGMAvstypyrivf\PRAGMAsrcr.dat 143 bytes

---- EOF - GMER 1.0.15 ----




4. And the computer its still the same :)
  • 0

#5
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
Hello,

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
    :OTL
    O2 - BHO: (no name) - {007BC35E-06FD-4B87-BFE1-22A27906B674} - C:\WINDOWS\system32\csseqchk323232.dll ()
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O4 - HKCU..\Run: [CleanUp Antivirus] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe ()
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O20 - HKLM Winlogon: TaskMan - (C:\RECYCLER\S-1-5-21-3117440764-5918610976-690569324-0429\msimfo32.exe) - C:\RECYCLER\S-1-5-21-3117440764-5918610976-690569324-0429\msimfo32.exe File not found
    O20 - Winlogon\Notify\141e2683879: DllName - C:\WINDOWS\System32\ieakui32.dll - C:\WINDOWS\System32\ieakui32.dll File not found
    O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
    O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
    O33 - MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe
    O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\AutoRun\command - "" = F:\BOOTEX\thumbcache_131.exe -- File not found
    O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\explore\command - "" = F:\
    O33 - MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\Shell\open\command - "" = F:\.\\BOOTEX\thumbcache_131.exe -- File not found
    O33 - MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\Shell\AutoRun\command - "" = E:\3c.exe -- File not found
    O33 - MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\Shell\open\Command - "" = E:\3c.exe -- File not found
    O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell - "" = AutoRun
    O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell - "" = AutoRun
    O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    O37 - HKCU\...exe [@ = secfile] -- "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mscdexnt.exe" /START "%1" %* File not found
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
    [2 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]
    [12 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
    [106 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
    [2010/06/10 20:05:59 | 000,000,141 | ---- | M] () -- C:\WINDOWS\System32\449e2184
    [2010/03/26 16:26:22 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\72de44a
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#6
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{007BC35E-06FD-4B87-BFE1-22A27906B674}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{007BC35E-06FD-4B87-BFE1-22A27906B674}\ deleted successfully.
C:\WINDOWS\system32\csseqchk323232.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\CleanUp Antivirus deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\RTHDBPL deleted successfully.
C:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe moved successfully.
Starting removal of ActiveX control {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.1.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\TaskMan:C:\RECYCLER\S-1-5-21-3117440764-5918610976-690569324-0429\msimfo32.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\141e2683879\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b1723c2-49b3-11de-9b14-00e04d820647}\ not found.
File BOOTEX\thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b1723c2-49b3-11de-9b14-00e04d820647}\ not found.
File BOOTEX/thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b1723c2-49b3-11de-9b14-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b1723c2-49b3-11de-9b14-00e04d820647}\ not found.
File .////BOOTEX/thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ not found.
File F:\BOOTEX\thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ not found.
File F:\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3bee2c0-2011-11df-9b9b-00e04d820647}\ not found.
File F:\.\\BOOTEX\thumbcache_131.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee7b0a08-6764-11de-9b19-00e04d820647}\ not found.
File E:\3c.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee7b0a08-6764-11de-9b19-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee7b0a08-6764-11de-9b19-00e04d820647}\ not found.
File E:\3c.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ee7b0a0f-6764-11de-9b19-00e04d820647}\ not found.
File E:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f2e62cae-7807-11de-9b1f-00e04d820647}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f2e62cae-7807-11de-9b1f-00e04d820647}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f2e62cae-7807-11de-9b1f-00e04d820647}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f2e62cae-7807-11de-9b1f-00e04d820647}\ not found.
File E:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\secfile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\WINDOWS\003004_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\drivers\SET5C7.tmp deleted successfully.
C:\WINDOWS\System32\drivers\SET60B.tmp deleted successfully.
C:\Documents and Settings\Administrator\ttxjfcywbu.tmp deleted successfully.
C:\Documents and Settings\Administrator\udpcrawl.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66C.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66D.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66E.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET66F.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET670.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET671.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET685.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET686.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET687.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET688.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET689.tmp deleted successfully.
C:\WINDOWS\System32\dllcache\SET68A.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET38.tmp deleted successfully.
C:\WINDOWS\System32\SET3C.tmp deleted successfully.
C:\WINDOWS\System32\SET44.tmp deleted successfully.
C:\WINDOWS\System32\SET556.tmp deleted successfully.
C:\WINDOWS\System32\SET557.tmp deleted successfully.
C:\WINDOWS\System32\SET558.tmp deleted successfully.
C:\WINDOWS\System32\SET559.tmp deleted successfully.
C:\WINDOWS\System32\SET55A.tmp deleted successfully.
C:\WINDOWS\System32\SET578.tmp deleted successfully.
C:\WINDOWS\System32\SET579.tmp deleted successfully.
C:\WINDOWS\System32\SET57A.tmp deleted successfully.
C:\WINDOWS\System32\SET57B.tmp deleted successfully.
C:\WINDOWS\System32\SET57C.tmp deleted successfully.
C:\WINDOWS\System32\SET5A0.tmp deleted successfully.
C:\WINDOWS\System32\SET5A5.tmp deleted successfully.
C:\WINDOWS\System32\SET5A8.tmp deleted successfully.
C:\WINDOWS\System32\SET5AD.tmp deleted successfully.
C:\WINDOWS\System32\SET5B0.tmp deleted successfully.
C:\WINDOWS\System32\SET5B5.tmp deleted successfully.
C:\WINDOWS\System32\SET5B8.tmp deleted successfully.
C:\WINDOWS\System32\SET5B9.tmp deleted successfully.
C:\WINDOWS\System32\SET5BA.tmp deleted successfully.
C:\WINDOWS\System32\SET5BB.tmp deleted successfully.
C:\WINDOWS\System32\SET5BC.tmp deleted successfully.
C:\WINDOWS\System32\SET5BD.tmp deleted successfully.
C:\WINDOWS\System32\SET5BE.tmp deleted successfully.
C:\WINDOWS\System32\SET5BF.tmp deleted successfully.
C:\WINDOWS\System32\SET5C0.tmp deleted successfully.
C:\WINDOWS\System32\SET5C1.tmp deleted successfully.
C:\WINDOWS\System32\SET5C2.tmp deleted successfully.
C:\WINDOWS\System32\SET5C3.tmp deleted successfully.
C:\WINDOWS\System32\SET5C4.tmp deleted successfully.
C:\WINDOWS\System32\SET5C5.tmp deleted successfully.
C:\WINDOWS\System32\SET5C6.tmp deleted successfully.
C:\WINDOWS\System32\SET5EB.tmp deleted successfully.
C:\WINDOWS\System32\SET5EC.tmp deleted successfully.
C:\WINDOWS\System32\SET5ED.tmp deleted successfully.
C:\WINDOWS\System32\SET5EE.tmp deleted successfully.
C:\WINDOWS\System32\SET5EF.tmp deleted successfully.
C:\WINDOWS\System32\SET5F0.tmp deleted successfully.
C:\WINDOWS\System32\SET5F1.tmp deleted successfully.
C:\WINDOWS\System32\SET5F2.tmp deleted successfully.
C:\WINDOWS\System32\SET5F3.tmp deleted successfully.
C:\WINDOWS\System32\SET5F4.tmp deleted successfully.
C:\WINDOWS\System32\SET5F5.tmp deleted successfully.
C:\WINDOWS\System32\SET5F6.tmp deleted successfully.
C:\WINDOWS\System32\SET5F7.tmp deleted successfully.
C:\WINDOWS\System32\SET5F8.tmp deleted successfully.
C:\WINDOWS\System32\SET5F9.tmp deleted successfully.
C:\WINDOWS\System32\SET618.tmp deleted successfully.
C:\WINDOWS\System32\SET61D.tmp deleted successfully.
C:\WINDOWS\System32\SET65C.tmp deleted successfully.
C:\WINDOWS\System32\SET663.tmp deleted successfully.
C:\WINDOWS\System32\SET669.tmp deleted successfully.
C:\WINDOWS\System32\SET66A.tmp deleted successfully.
C:\WINDOWS\System32\SET66B.tmp deleted successfully.
C:\WINDOWS\System32\SET682.tmp deleted successfully.
C:\WINDOWS\System32\SET683.tmp deleted successfully.
C:\WINDOWS\System32\SET684.tmp deleted successfully.
C:\WINDOWS\System32\SET6A8.tmp deleted successfully.
C:\WINDOWS\System32\SET6AD.tmp deleted successfully.
C:\WINDOWS\System32\SET6B9.tmp deleted successfully.
C:\WINDOWS\System32\SET6BF.tmp deleted successfully.
C:\WINDOWS\System32\SET6E5.tmp deleted successfully.
C:\WINDOWS\System32\SET6EC.tmp deleted successfully.
C:\WINDOWS\System32\SET6F1.tmp deleted successfully.
C:\WINDOWS\System32\SET6F6.tmp deleted successfully.
C:\WINDOWS\System32\SET705.tmp deleted successfully.
C:\WINDOWS\System32\SET70A.tmp deleted successfully.
C:\WINDOWS\System32\SET70E.tmp deleted successfully.
C:\WINDOWS\System32\SET72F.tmp deleted successfully.
C:\WINDOWS\System32\SET767.tmp deleted successfully.
C:\WINDOWS\System32\SET768.tmp deleted successfully.
C:\WINDOWS\System32\SET769.tmp deleted successfully.
C:\WINDOWS\System32\SET7A3.tmp deleted successfully.
C:\WINDOWS\System32\SET7A4.tmp deleted successfully.
C:\WINDOWS\System32\SET7A5.tmp deleted successfully.
C:\WINDOWS\System32\SET7D3.tmp deleted successfully.
C:\WINDOWS\System32\SET7D8.tmp deleted successfully.
C:\WINDOWS\System32\SET7E1.tmp deleted successfully.
C:\WINDOWS\System32\SET7E6.tmp deleted successfully.
C:\WINDOWS\System32\SET7E9.tmp deleted successfully.
C:\WINDOWS\System32\SET7EE.tmp deleted successfully.
C:\WINDOWS\System32\SET7F7.tmp deleted successfully.
C:\WINDOWS\System32\SET7F8.tmp deleted successfully.
C:\WINDOWS\System32\SET801.tmp deleted successfully.
C:\WINDOWS\System32\SET802.tmp deleted successfully.
C:\WINDOWS\System32\SET834.tmp deleted successfully.
C:\WINDOWS\System32\SET835.tmp deleted successfully.
C:\WINDOWS\System32\SET837.tmp deleted successfully.
C:\WINDOWS\System32\SET838.tmp deleted successfully.
C:\WINDOWS\System32\SET839.tmp deleted successfully.
C:\WINDOWS\System32\SET83C.tmp deleted successfully.
C:\WINDOWS\System32\SET83E.tmp deleted successfully.
C:\WINDOWS\System32\SET867.tmp deleted successfully.
C:\WINDOWS\System32\SET869.tmp deleted successfully.
C:\WINDOWS\System32\SET86D.tmp deleted successfully.
C:\WINDOWS\System32\SET86E.tmp deleted successfully.
C:\WINDOWS\System32\SET86F.tmp deleted successfully.
C:\WINDOWS\System32\SET871.tmp deleted successfully.
C:\WINDOWS\System32\SET872.tmp deleted successfully.
C:\WINDOWS\System32\SET883.tmp deleted successfully.
C:\WINDOWS\System32\SET88C.tmp deleted successfully.
C:\WINDOWS\System32\SET890.tmp deleted successfully.
C:\WINDOWS\System32\SET895.tmp deleted successfully.
C:\Documents and Settings\Administrator\Desktop\ttxjfcywbu.tmp deleted successfully.
C:\WINDOWS\system32\449e2184 moved successfully.
C:\Documents and Settings\All Users\Application Data\72de44a\Quarantine Items folder moved successfully.
C:\Documents and Settings\All Users\Application Data\72de44a\CUASys folder moved successfully.
C:\Documents and Settings\All Users\Application Data\72de44a\BackUp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\72de44a folder moved successfully.
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1959000686 bytes
->Temporary Internet Files folder emptied: 40754672 bytes
->Java cache emptied: 2813295 bytes
->Flash cache emptied: 84777 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 43383 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 5473981 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 42268633 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 38520326 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1870 bytes

Total Files Cleaned = 1,992.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.6.0 log created on 06132010_182025

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3554.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF3559.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5398.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF539D.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7410.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7415.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF842D.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8432.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF87CC.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DF87DB.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB1FC.tmp not found!
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB203.tmp not found!
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFB665.tmp moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y9V55TWS\mim_ajax[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\QYBXZDAM\index[1].cfm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LSFCTP6A\adopt[1].txt moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LSFCTP6A\adopt[2].txt moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LSFCTP6A\adopt[3].txt moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LSFCTP6A\ConsoleSettingsFrame[1].aspx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LSFCTP6A\GenericPopup[1].aspx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IF50MC0N\FriendsList[1].aspx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DWMRWW9B\GoogleAd[1].ashx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DR0G12NJ\SettingsPopup[1].aspx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CUC3KDNS\1276464979942[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CUC3KDNS\B4291814[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CUC3KDNS\ConsoleTabsFrame[1].aspx moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CUC3KDNS\PunyMCE[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\46CB8BI7\Explorer-Exe-Bad-image-t279304[1].html moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\46CB8BI7\iframe[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...




I can open itunes now :)
  • 0

#7
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
That is great news! We still have some more work to do, so please make sure you that complete the ComboFix scan on your computer, and post the log for me to analyze.
  • 0

#8
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
C:\ComboFix.txt



ComboFix 10-06-13.01 - Administrator 06/13/2010 18:38:08.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.694 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\0200000087eced3c879C.manifest
c:\documents and settings\Administrator\Application Data\0200000087eced3c879O.manifest
c:\documents and settings\Administrator\Application Data\0200000087eced3c879P.manifest
c:\documents and settings\Administrator\Application Data\0200000087eced3c879S.manifest
c:\documents and settings\Administrator\Application Data\CleanUp Antivirus
c:\documents and settings\Administrator\Application Data\CleanUp Antivirus\Instructions.ini
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\CleanUp Antivirus.lnk
c:\documents and settings\Administrator\Application Data\SystemProc
c:\documents and settings\Administrator\Application Data\SystemProc\upd.exe
c:\documents and settings\Administrator\Recent\ANTIGEN.drv
c:\documents and settings\Administrator\Recent\cb.tmp
c:\documents and settings\Administrator\Recent\CLSV.tmp
c:\documents and settings\Administrator\Recent\delfile.drv
c:\documents and settings\Administrator\Recent\eb.exe
c:\documents and settings\Administrator\Recent\energy.exe
c:\documents and settings\Administrator\Recent\exec.dll
c:\documents and settings\Administrator\Recent\exec.sys
c:\documents and settings\Administrator\Recent\fix.dll
c:\documents and settings\Administrator\Recent\kernel32.sys
c:\documents and settings\Administrator\Recent\PE.dll
c:\documents and settings\Administrator\Recent\PE.drv
c:\documents and settings\Administrator\Recent\PE.sys
c:\documents and settings\Administrator\Recent\ppal.tmp
c:\documents and settings\Administrator\Recent\SICKBOY.sys
c:\documents and settings\Administrator\Recent\sld.sys
c:\documents and settings\Administrator\Recent\SM.sys
c:\documents and settings\Administrator\Recent\std.drv
c:\documents and settings\Administrator\Start Menu\CleanUp Antivirus.lnk
c:\documents and settings\Administrator\Start Menu\Programs\CleanUp Antivirus.lnk
c:\documents and settings\Administrator\Start Menu\Programs\PlayMP3z
c:\documents and settings\Administrator\Start Menu\Programs\PlayMP3z\Run PlayMP3z.pif
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
c:\program files\driver
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSg.dll
c:\program files\MyWebSearch\bar\1.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\00520698
c:\program files\MyWebSearch\bar\Cache\005209C5.bin
c:\program files\MyWebSearch\bar\Cache\00520A9F.bin
c:\program files\MyWebSearch\bar\Cache\00520B4B.bin
c:\program files\MyWebSearch\bar\Cache\00520C26.bin
c:\program files\MyWebSearch\bar\Cache\00520E1A.bin
c:\program files\MyWebSearch\bar\Cache\00520E97
c:\program files\MyWebSearch\bar\Cache\0056F6A2.bin
c:\program files\MyWebSearch\bar\Cache\0056F819.bin
c:\program files\MyWebSearch\bar\Cache\0056F923.bin
c:\program files\MyWebSearch\bar\Cache\0056F9FD.bin
c:\program files\MyWebSearch\bar\Cache\00C1B144
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\8_step1.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\bkez.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkgs.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bklf.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkrg.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzc.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzl.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzn.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzq.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzr.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzu.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzv.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzw.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4b.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut4c.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shield.png
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat
c:\program files\MyWebSearch\bar\Settings\s_FeatCk.dat.bak
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\PlayMP3z
c:\program files\PlayMP3z\PlayMP3.exe
c:\program files\PlayMP3z\uninstall.exe
c:\program files\Protection Center
c:\program files\Protection Center\about.ico
c:\program files\Protection Center\activate.ico
c:\program files\Protection Center\buy.ico
c:\program files\Protection Center\cnt.db
c:\program files\Protection Center\help.ico
c:\program files\Protection Center\scan.ico
c:\program files\Protection Center\settings.ico
c:\program files\Protection Center\splash.mp3
c:\program files\Protection Center\update.ico
c:\program files\Protection Center\virus.mp3
c:\program files\QualitySuperBrandingSystem\QuALitysuperbrandingsystem.dll
c:\windows\GnuHashes.ini
c:\windows\PRAGMAvstypyrivf
c:\windows\PRAGMAvstypyrivf\pragmabbr.dll
c:\windows\PRAGMAvstypyrivf\PRAGMAc.dll
c:\windows\PRAGMAvstypyrivf\PRAGMAcfg.ini
c:\windows\PRAGMAvstypyrivf\PRAGMAd.sys
c:\windows\PRAGMAvstypyrivf\pragmaserf.dll
c:\windows\PRAGMAvstypyrivf\PRAGMAsrcr.dat
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000016_.tmp.dll
c:\windows\system32\_000018_.tmp.dll
c:\windows\system32\640434660
c:\windows\system32\COMUID32.DLL
c:\windows\system32\CORPOL32.DLL
c:\windows\system32\cryptext3232.dll
c:\windows\system32\ctl3dv232.dll
c:\windows\system32\dciman3232.dll
c:\windows\system32\DDRAWEX32.DLL
c:\windows\system32\DFRGUI32.DLL
c:\windows\system32\dfrgui3232.dll
c:\windows\system32\dgrpsetu32.dll
c:\windows\system32\dmband3232.dll
c:\windows\system32\dnsapi3232.dll
c:\windows\system32\dot3msm32.dll
c:\windows\system32\DPCDLL32.DLL
c:\windows\system32\DPWSOCK32.DLL
c:\windows\system32\eappgnui3232.dll
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\gpkcsp32.dll
c:\windows\system32\hhsetup32.dll
c:\windows\system32\hlink32.dll
c:\windows\system32\iasads32.dll
c:\windows\system32\iasnap32.dll
c:\windows\system32\iernonce32.dll
c:\windows\system32\SysWoW32
c:\windows\system32\SysWoW32\_u1313111257v0
c:\windows\system32\SysWoW32\_u1313111257v1
c:\windows\system32\SysWoW32\_u1313111257v2
c:\windows\system32\SysWoW32\_u1313111257v3
c:\windows\system32\SysWoW32\_u1313111257v4
c:\windows\system32\SysWoW32\_u1313111257v5
c:\windows\system32\SysWoW32\_u1313111257v6
c:\windows\system32\SysWoW32\mu1313111257v4
c:\windows\system32\SysWoW32\mu1313111257v4.kwd
c:\windows\system32\SysWoW32\mu1313111257v5
c:\windows\system32\SysWoW32\mu1313111257v5.kwd
c:\windows\system32\SysWoW32\mu1313111257v6
c:\windows\system32\SysWoW32\mu1313111257v6.kwd
c:\windows\system32\SysWoW32\mu1313111257v7
c:\windows\system32\SysWoW32\mu1313111257v7.kwd
c:\windows\system32\SysWoW32\wu1313111257v0
c:\windows\system32\SysWoW32\wu1313111257v0.kwd
c:\windows\system32\SysWoW32\wu1313111257v1
c:\windows\system32\SysWoW32\wu1313111257v1.kwd
c:\windows\system32\SysWoW32\wu1313111257v2
c:\windows\system32\SysWoW32\wu1313111257v2.kwd
c:\windows\system32\SysWoW32\wu1313111257v3
c:\windows\system32\SysWoW32\wu1313111257v3.kwd
c:\windows\system32\unrar.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAvstypyrivf
-------\Legacy_PRAGMAvstypyrivf
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 23:20 . 2010-06-13 23:20 -------- d-----w- C:\_OTL
2010-06-12 02:21 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-12 02:21 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-12 02:21 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-12 02:21 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-12 02:21 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-12 02:21 . 2010-02-04 01:40 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-06-11 04:16 . 2010-06-11 04:16 -------- d-----w- c:\program files\GEAR Software
2010-06-11 04:16 . 2010-06-11 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-06-11 02:15 . 2010-06-11 02:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 01:56 . 2010-06-11 01:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2010-06-11 01:56 . 2010-06-11 01:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-06-11 01:35 . 2010-06-11 01:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-11 01:35 . 2010-06-11 01:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-11 01:35 . 2010-06-11 02:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-11 01:35 . 2010-06-11 01:35 -------- d-----w- c:\program files\Symantec
2010-06-11 01:34 . 2010-06-13 21:14 -------- d-----w- c:\windows\system32\drivers\NAV
2010-06-11 01:34 . 2010-06-11 01:34 -------- d-----w- c:\program files\Norton AntiVirus
2010-06-11 01:28 . 2010-06-11 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-06-11 00:43 . 2010-06-11 00:43 -------- d-----w- c:\program files\Common Files\Java
2010-06-11 00:38 . 2010-06-11 00:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 21:00 . 2010-06-10 21:00 321024 ----a-w- c:\windows\system32\deskperf32.dll
2010-06-10 19:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 23:01 . 2010-06-07 23:01 304640 ----a-w- c:\windows\system32\bitsprx332.dll
2010-06-07 16:44 . 2010-06-07 16:44 304640 ----a-w- c:\windows\system32\eapphost32.dll
2010-06-05 18:57 . 2010-06-05 18:57 309248 ----a-w- c:\windows\system32\fontsub32.dll
2010-06-02 20:33 . 2010-06-02 20:33 309248 ----a-w- c:\windows\system32\dpnmodem32.dll
2010-05-31 17:10 . 2010-05-31 17:10 311808 ----a-w- c:\windows\system32\cnetcfg32.dll
2010-05-31 04:41 . 2010-05-31 04:41 311808 ----a-w- c:\windows\system32\difxapi32.dll
2010-05-17 17:58 . 2010-05-17 17:58 283648 ----a-w- c:\windows\system32\ipnathlp32.dll
2010-05-17 16:58 . 2010-05-17 16:58 283648 ----a-w- c:\windows\system32\inetpp32.dll
2010-05-17 15:58 . 2010-05-17 15:58 283648 ----a-w- c:\windows\system32\inetcplc32.dll
2010-05-17 04:10 . 2010-05-17 04:10 283648 ----a-w- c:\windows\system32\comrepl32.dll
2010-05-17 03:39 . 2010-05-17 03:39 283648 ----a-w- c:\windows\system32\hsfcisp232.dll
2010-05-16 00:46 . 2010-05-16 00:46 283648 ----a-w- c:\windows\system32\htui32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 23:46 . 2010-02-22 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-06-13 23:43 . 2010-04-20 22:40 -------- d-----w- c:\program files\QualitySuperBrandingSystem
2010-06-11 01:35 . 2010-03-26 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-11 01:35 . 2010-06-11 01:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-11 01:35 . 2010-06-11 01:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-26 16:34 . 2010-05-26 16:34 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\msvcp71.dll
2010-05-26 16:34 . 2010-05-26 16:34 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\jmc.dll
2010-05-26 16:34 . 2010-05-26 16:34 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\msvcr71.dll
2010-05-26 16:34 . 2010-05-26 16:34 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-44bea384-n\decora-sse.dll
2010-05-26 16:34 . 2010-05-26 16:34 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-44bea384-n\decora-d3d.dll
2010-05-17 04:27 . 2010-04-06 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-14 05:19 . 2010-05-14 05:19 284160 ----a-w- c:\windows\system32\csseqchk32.dll
2010-05-14 04:19 . 2010-05-14 04:19 284160 ----a-w- c:\windows\system32\cscdll32.dll
2010-05-14 02:19 . 2010-05-14 02:19 284160 ----a-w- c:\windows\system32\cryptdll32.dll
2010-05-13 06:42 . 2010-05-13 06:42 284160 ----a-w- c:\windows\system32\icfgnt532.dll
2010-05-13 05:42 . 2010-05-13 05:42 284160 ----a-w- c:\windows\system32\icardres32.dll
2010-05-13 02:42 . 2010-05-13 02:42 284160 ----a-w- c:\windows\system32\hypertrm32.dll
2010-05-13 02:20 . 2010-05-13 02:20 -------- d-----w- c:\program files\Wireless Temp
2010-05-13 02:16 . 2010-05-13 02:16 -------- d-----w- c:\program files\Netopia
2010-05-13 02:16 . 2008-07-02 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 22:42 . 2010-05-12 22:42 284160 ----a-w- c:\windows\system32\GEARAspi32.dll
2010-05-12 22:00 . 2010-02-23 01:56 -------- d-----w- c:\program files\Google
2010-05-12 21:59 . 2010-05-12 21:59 284160 ----a-w- c:\windows\system32\ipmontr32.dll
2010-05-06 10:41 . 2004-08-04 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 05:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 06:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 00:15 . 2010-02-23 08:14 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-26 23:28 . 2008-07-03 22:53 13688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-26 23:28 . 2010-03-26 23:28 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-03-26 23:28 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-03-26 22:48 . 2008-07-02 20:43 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-15 53248]
"VTTrayp"="VTtrayp.exe" [2007-04-25 176128]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [7/2/2008 3:53 PM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [7/2/2008 3:53 PM 52224]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [7/2/2008 3:48 PM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [7/2/2008 3:50 PM 8192]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/11/2010 9:21 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 9:17 PM 102448]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [6/10/2010 8:34 PM 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys --> c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2010 10:24 PM 135664]
S3 BS_Flash;BS_Flash;c:\program files\BIOS\BIOS Flash\BS_Flash.sys [7/2/2008 3:49 PM 3604]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/10/2010 11:38 PM 331640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\User_Feed_Synchronization-{E4EE61A1-EC13-4D5D-8D3C-B233899A0356}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-yie8
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-764733703-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,88,1d,5f,b2,84,a8,4b,9d,e7,44,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,88,1d,5f,b2,84,a8,4b,9d,e7,44,\

[HKEY_USERS\S-1-5-21-1957994488-764733703-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\wpdshext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-06-13 18:52:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-13 23:52

Pre-Run: 43,676,024,832 bytes free
Post-Run: 43,566,837,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 4FE1CCFE12C09F3D69C69CFAB824F473





the messages Explorer.Exe-Bad image and iexplorer.exe-Bad image did not appeared when the computer turn on :)
  • 0

#9
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.geekstogo.com/forum/Explorer-Exe-Bad-image-t279304.html&view=findpost&p=1850508#entry1850508
Collect::
c:\windows\system32\bitsprx332.dll
c:\windows\system32\eapphost32.dll
c:\windows\system32\fontsub32.dll
c:\windows\system32\dpnmodem32.dll
c:\windows\system32\cnetcfg32.dll
c:\windows\system32\difxapi32.dll
c:\windows\system32\ipnathlp32.dll
c:\windows\system32\inetpp32.dll
c:\windows\system32\inetcplc32.dll
c:\windows\system32\comrepl32.dll
c:\windows\system32\hsfcisp232.dll
c:\windows\system32\htui32.dll

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /180
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.



NEXT:


Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that was produced after running the ComboFix scan.
3. The log that was produced after running the updated MalwareBytes' Anti-Malware scan.
4. The log that was produced after running the ESET Online Virus Scanner.
5. The log that was produced after running the OTL scan.
6. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Cheers,
SweetTech.
  • 0

#10
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
This is the log for CFScript


ComboFix 10-06-13.01 - Administrator 06/13/2010 19:13:49.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.659 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: c:\windows\system32\bitsprx332.dll
file zipped: c:\windows\system32\cnetcfg32.dll
file zipped: c:\windows\system32\comrepl32.dll
file zipped: c:\windows\system32\difxapi32.dll
file zipped: c:\windows\system32\dpnmodem32.dll
file zipped: c:\windows\system32\eapphost32.dll
file zipped: c:\windows\system32\fontsub32.dll
file zipped: c:\windows\system32\hsfcisp232.dll
file zipped: c:\windows\system32\htui32.dll
file zipped: c:\windows\system32\inetcplc32.dll
file zipped: c:\windows\system32\inetpp32.dll
file zipped: c:\windows\system32\ipnathlp32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bitsprx332.dll
c:\windows\system32\cnetcfg32.dll
c:\windows\system32\comrepl32.dll
c:\windows\system32\difxapi32.dll
c:\windows\system32\dpnmodem32.dll
c:\windows\system32\eapphost32.dll
c:\windows\system32\fontsub32.dll
c:\windows\system32\hsfcisp232.dll
c:\windows\system32\htui32.dll
c:\windows\system32\inetcplc32.dll
c:\windows\system32\inetpp32.dll
c:\windows\system32\ipnathlp32.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-13 23:20 . 2010-06-13 23:20 -------- d-----w- C:\_OTL
2010-06-12 02:21 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-06-12 02:21 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-06-12 02:21 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-06-12 02:21 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-06-12 02:21 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys
2010-06-12 02:21 . 2010-02-04 01:40 328752 ----a-w- c:\windows\system32\drivers\symds.sys
2010-06-11 04:16 . 2010-06-11 04:16 -------- d-----w- c:\program files\GEAR Software
2010-06-11 04:16 . 2010-06-11 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{C3243856-7746-4A05-8837-51A28C1CDD82}
2010-06-11 02:15 . 2010-06-11 02:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 01:56 . 2010-06-11 01:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2010-06-11 01:56 . 2010-06-11 01:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-06-11 01:35 . 2010-06-11 01:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-11 01:35 . 2010-06-11 01:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-11 01:35 . 2010-06-11 02:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-11 01:35 . 2010-06-11 01:35 -------- d-----w- c:\program files\Symantec
2010-06-11 01:34 . 2010-06-13 21:14 -------- d-----w- c:\windows\system32\drivers\NAV
2010-06-11 01:34 . 2010-06-11 01:34 -------- d-----w- c:\program files\Norton AntiVirus
2010-06-11 01:28 . 2010-06-11 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-06-11 00:43 . 2010-06-11 00:43 -------- d-----w- c:\program files\Common Files\Java
2010-06-11 00:38 . 2010-06-11 00:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-10 21:00 . 2010-06-10 21:00 321024 ----a-w- c:\windows\system32\deskperf32.dll
2010-06-10 19:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-05-26 16:34 . 2010-05-26 16:34 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\msvcp71.dll
2010-05-26 16:34 . 2010-05-26 16:34 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\jmc.dll
2010-05-26 16:34 . 2010-05-26 16:34 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3b72bf9a-n\msvcr71.dll
2010-05-26 16:34 . 2010-05-26 16:34 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-44bea384-n\decora-sse.dll
2010-05-26 16:34 . 2010-05-26 16:34 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-44bea384-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 00:05 . 2010-02-22 23:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2010-06-13 23:43 . 2010-04-20 22:40 -------- d-----w- c:\program files\QualitySuperBrandingSystem
2010-06-11 01:35 . 2010-03-26 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-11 01:35 . 2010-06-11 01:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-11 01:35 . 2010-06-11 01:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-17 04:27 . 2010-04-06 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-14 05:19 . 2010-05-14 05:19 284160 ----a-w- c:\windows\system32\csseqchk32.dll
2010-05-14 04:19 . 2010-05-14 04:19 284160 ----a-w- c:\windows\system32\cscdll32.dll
2010-05-14 02:19 . 2010-05-14 02:19 284160 ----a-w- c:\windows\system32\cryptdll32.dll
2010-05-13 06:42 . 2010-05-13 06:42 284160 ----a-w- c:\windows\system32\icfgnt532.dll
2010-05-13 05:42 . 2010-05-13 05:42 284160 ----a-w- c:\windows\system32\icardres32.dll
2010-05-13 02:42 . 2010-05-13 02:42 284160 ----a-w- c:\windows\system32\hypertrm32.dll
2010-05-13 02:20 . 2010-05-13 02:20 -------- d-----w- c:\program files\Wireless Temp
2010-05-13 02:16 . 2010-05-13 02:16 -------- d-----w- c:\program files\Netopia
2010-05-13 02:16 . 2008-07-02 20:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 22:42 . 2010-05-12 22:42 284160 ----a-w- c:\windows\system32\GEARAspi32.dll
2010-05-12 22:00 . 2010-02-23 01:56 -------- d-----w- c:\program files\Google
2010-05-12 21:59 . 2010-05-12 21:59 284160 ----a-w- c:\windows\system32\ipmontr32.dll
2010-05-06 10:41 . 2004-08-04 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 05:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 06:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-27 00:15 . 2010-02-23 08:14 13836 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-26 23:28 . 2008-07-03 22:53 13688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-26 23:28 . 2010-03-26 23:28 143976 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-03-26 23:28 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
2010-03-26 22:48 . 2008-07-02 20:43 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-15 53248]
"VTTrayp"="VTtrayp.exe" [2007-04-25 176128]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [7/2/2008 3:53 PM 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [7/2/2008 3:53 PM 52224]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [7/2/2008 3:48 PM 13696]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [7/2/2008 3:50 PM 8192]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe [6/11/2010 9:21 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 9:17 PM 102448]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS [?]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS [?]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [6/10/2010 8:34 PM 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys --> c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys [?]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS --> c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2010 10:24 PM 135664]
S3 BS_Flash;BS_Flash;c:\program files\BIOS\BIOS Flash\BS_Flash.sys [7/2/2008 3:49 PM 3604]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [6/10/2010 11:38 PM 331640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-13 c:\windows\Tasks\User_Feed_Synchronization-{E4EE61A1-EC13-4D5D-8D3C-B233899A0356}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-yie8
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 19:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-764733703-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,88,1d,5f,b2,84,a8,4b,9d,e7,44,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,88,1d,5f,b2,84,a8,4b,9d,e7,44,\

[HKEY_USERS\S-1-5-21-1957994488-764733703-839522115-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-06-13 19:22:17
ComboFix-quarantined-files.txt 2010-06-14 00:22
ComboFix2.txt 2010-06-13 23:52

Pre-Run: 43,568,934,912 bytes free
Post-Run: 43,551,363,072 bytes free

- - End Of File - - 5ADF4EFDF1AC64ACBA4EB999ED1E7350
Upload was successful
  • 0
<

Advertisement


#11
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
:)
  • 0

#12
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
This is the log for Malwarebytes' Anti-Malware



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4195

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/13/2010 7:36:45 PM
mbam-log-2010-06-13 (19-36-45).txt

Scan type: Quick scan
Objects scanned: 115648
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 48
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\qualitysuperbrandingsystem.qualitysuperbrandingsystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1d58fe57-9b77-c841-b950-3654da9d5edb} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{6339581c-7838-64ee-63a9-d48b0e3d5f2e} (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\QualitySuperBrandingSystem.DLL (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QualitySuperBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QualitySuperBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/...q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/...q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\QualitySuperBrandingSystem (Adware.PlayMP3z) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cryptdll32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GEARAspi32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deskperf32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hypertrm32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\icardres32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\icfgnt532.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipmontr32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cscdll32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csseqchk32.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Program Files\QualitySuperBrandingSystem\uninstall.exe (Adware.PlayMP3z) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.LNK (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.
  • 0

#13
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
:)

Just a heads up, the ESET Online Scanner should take you a couple of hours to run..

Edited by SweetTech, 13 June 2010 - 06:45 PM.

  • 0

#14
1kared

1kared

    Member

  • Member
  • PipPip
  • 11 posts
4.This is the log for ESET Online Virus Scanner



C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\[4]-Submit_2010-06-13_19.13.32.zip multiple threats
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.vir Win32/Dursg.C trojan
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL.vir Win32/Toolbar.MyWebSearch.G application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Win32/Toolbar.MyWebSearch.B application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL.vir Win32/Toolbar.MyWebSearch.G application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Win32/Toolbar.MyWebSearch.D application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL.vir Win32/Toolbar.MyWebSearch.H application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL.vir Win32/Toolbar.MyWebSearch.I application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Win32/Toolbar.MyWebSearch.J application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Win32/Toolbar.MyWebSearch.I application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Win32/Toolbar.MyWebSearch.J application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\PROGRA~1\MYWEBS~1\bar\1.bin\MWSOEMON.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMAvstypyrivf\PRAGMAc.dll.vir Win32/Olmarik.KT trojan
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMAvstypyrivf\PRAGMAd.sys.vir Win32/Olmarik.AAC trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\comuid32.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\corpol32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\cryptext3232.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ctl3dv232.dll.vir a variant of Win32/Kryptik.EHK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dciman3232.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddrawex32.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dfrgui32.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dfrgui3232.dll.vir Win32/BHO.NZK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dgrpsetu32.dll.vir a variant of Win32/Kryptik.EHK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmband3232.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dnsapi3232.dll.vir Win32/BHO.NZK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dot3msm32.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dpcdll32.dll.vir Win32/BHO.NZK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dpwsock32.dll.vir a variant of Win32/Kryptik.ERA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\eappgnui3232.dll.vir Win32/BHO.NZK trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\WINDOWS\system32\gpkcsp32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hhsetup32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\hlink32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iasads32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iasnap32.dll.vir Win32/Agent.RDV trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\iernonce32.dll.vir a variant of Win32/Kryptik.DSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu1313111257v1.vir Win32/TrojanDownloader.Agent.PDY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu1313111257v2.vir Win32/TrojanDownloader.Agent.PDY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\wu1313111257v3.vir Win32/TrojanDownloader.Agent.PDY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u1313111257v1.vir Win32/TrojanDownloader.Agent.PDY trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u1313111257v2.vir a variant of Win32/Kryptik.DSH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\SysWoW32\_u1313111257v3.vir a variant of Win32/Kryptik.DSH trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP88\A0056517.sys Win32/Olmarik.AAC trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP88\A0056518.dll Win32/Olmarik.KT trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056624.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056627.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056628.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056629.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056630.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056631.DLL Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056632.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056633.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056634.DLL Win32/Adware.FunWeb application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056635.SCR Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056636.DLL Win32/Toolbar.MyWebSearch.G application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056637.DLL Win32/Toolbar.MyWebSearch.D application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056638.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056639.EXE Win32/Adware.FunWeb application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056640.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056642.DLL Win32/Toolbar.MyWebSearch.H application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056643.DLL Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056644.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056645.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056646.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056647.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056648.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056649.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056650.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056651.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056652.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056653.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056654.EXE Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056655.EXE Win32/Toolbar.MyWebSearch.I application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056656.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056657.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056658.DLL Win32/Toolbar.MyWebSearch.J application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056659.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056660.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056661.EXE Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056662.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056663.DLL Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056695.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056696.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056697.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056698.dll a variant of Win32/Kryptik.EHK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056699.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056700.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056701.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056702.dll Win32/BHO.NZK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056703.dll a variant of Win32/Kryptik.EHK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056704.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056705.dll Win32/BHO.NZK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056706.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056707.dll Win32/BHO.NZK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056708.dll a variant of Win32/Kryptik.ERA trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056709.dll Win32/BHO.NZK trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056710.scr Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056711.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056712.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056713.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056714.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056715.dll Win32/Agent.RDV trojan
C:\System Volume Information\_restore{574E1AF3-CD42-40C8-BD59-06A51A33BBB5}\RP89\A0056716.dll a variant of Win32/Kryptik.DSH trojan
C:\WINDOWS\system32\drivers\etc\hosts.msn Win32/Qhost trojan
C:\_OTL\MovedFiles\06132010_182025\C_Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe Win32/Dursg.B trojan
C:\_OTL\MovedFiles\06132010_182025\C_WINDOWS\system32\csseqchk323232.dll a variant of Win32/Kryptik.ERA trojan
C:\_OTL\MovedFiles\06132010_182025\C_WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan
Operating memory Win32/Toolbar.MyWebSearch application



5.The log for OTL Scan


OTL logfile created on: 6/13/2010 8:20:32 PM - Run 2
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.00 Mb Total Physical Memory | 371.00 Mb Available Physical Memory | 39.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 40.46 Gb Free Space | 54.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POLLITA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccsvchst.exe (Symantec Corporation)
PRC - C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\VTTrayp.exe (S3 Graphics Co., Ltd.)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (NAV) -- C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe (Symantec Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)


========== Driver Services (SafeList) ==========

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100613.018\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100613.018\NAVENG.SYS (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100604.004\IDSXpx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\symtdi.sys (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\symefa.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\System32\Drivers\NAV\1107000.00C\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)
DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100211.001\BHDrvx86.sys (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\symds.sys (Symantec Corporation)
DRV - (ViPrt) -- C:\WINDOWS\system32\DRIVERS\ViPrt.sys (VIA Technologies, Inc.)
DRV - (ViBus) -- C:\WINDOWS\system32\DRIVERS\ViBus.sys (VIA Technologies, Inc.)
DRV - (videX32) -- C:\WINDOWS\system32\DRIVERS\videX32.sys (VIA Technologies, Inc.)
DRV - (BS_Flash) -- C:\Program Files\BIOS\BIOS Flash\BS_Flash.sys ()
DRV - (RT73) -- C:\WINDOWS\system32\drivers\rt73.sys (Ralink Technology, Corp.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (BS_I2cIo) -- C:\WINDOWS\system32\drivers\BS_I2cIo.sys (BIOSTAR Group)
DRV - (W8335XP) 802.11g/b Driver for Windows XP (8335) -- C:\WINDOWS\system32\drivers\Mrvw125.sys (Marvell Semiconductor, Inc)
DRV - (zntport) -- C:\WINDOWS\System32\drivers\zntport.sys (Zeal SoftStudio)
DRV - (BIOS) -- C:\WINDOWS\system32\drivers\BIOS.sys (BIOSTAR Group)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fptb-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A4 94 9F 18 C9 C4 CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 5E C3 7B 00 FD 06 87 4B BF E1 22 A2 79 06 B6 74 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin File not found
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\ [2010/06/13 16:25:24 | 000,000,000 | ---D | M]

[2010/02/22 18:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/02/22 18:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/13 18:44:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/06/13 19:19:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace....ceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\My Documents\My Pictures\angel.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/02 15:44:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/07/02 15:43:45 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/13 19:47:37 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/13 19:30:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/13 19:30:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/13 19:30:29 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/13 19:30:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/13 19:30:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/13 19:29:40 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/13 18:34:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/13 18:32:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/13 18:32:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/13 18:32:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/13 18:32:12 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/13 18:32:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/13 18:29:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/13 18:20:25 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/11 22:37:58 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/11 21:21:58 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symtdi.sys
[2010/06/11 21:21:58 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symtdiv.sys
[2010/06/11 21:21:57 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\cchpx86.sys
[2010/06/11 21:21:57 | 000,328,752 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symds.sys
[2010/06/11 21:21:57 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.sys
[2010/06/11 21:21:57 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symefa.sys
[2010/06/11 21:21:57 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\ironx86.sys
[2010/06/11 21:21:57 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys
[2010/06/11 21:21:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV\1107000.00C
[2010/06/10 23:16:28 | 000,000,000 | ---D | C] -- C:\Program Files\GEAR Software
[2010/06/10 23:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{C3243856-7746-4A05-8837-51A28C1CDD82}
[2010/06/10 22:57:27 | 306,708,552 | ---- | C] (Nero AG) -- C:\Documents and Settings\Administrator\Desktop\Nero-10.0.13100_trial.exe
[2010/06/10 22:32:59 | 001,925,536 | ---- | C] (GEAR Software, Inc. ) -- C:\Documents and Settings\Administrator\Desktop\GEARISOBurn.exe
[2010/06/10 21:04:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/06/10 20:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Tific
[2010/06/10 20:56:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec
[2010/06/10 20:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Symantec
[2010/06/10 20:35:41 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/10 20:35:41 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/10 20:35:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/06/10 20:35:40 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/06/10 20:34:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NAV
[2010/06/10 20:34:34 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/06/10 20:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2010/06/10 19:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/10 19:38:11 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 19:38:11 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 19:38:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 19:38:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 19:38:11 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/10 14:01:23 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll

========== Files - Modified Within 30 Days ==========

[2010/06/13 19:38:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/13 19:38:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/13 19:37:52 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/13 19:37:52 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/13 19:30:32 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/13 19:29:40 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/13 19:19:25 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/13 19:19:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/13 19:04:53 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/13 18:34:22 | 000,000,293 | RHS- | M] () -- C:\boot.ini
[2010/06/13 18:29:21 | 003,707,422 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/13 16:18:20 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E4EE61A1-EC13-4D5D-8D3C-B233899A0356}.job
[2010/06/13 16:14:13 | 000,001,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/06/13 16:14:07 | 000,618,322 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\Cat.DB
[2010/06/13 16:14:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/11 22:47:52 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\mo0j38m8.exe
[2010/06/11 22:38:00 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/10 23:42:39 | 000,854,064 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Norton_Removal_Tool.exe
[2010/06/10 23:17:54 | 001,925,536 | ---- | M] (GEAR Software, Inc. ) -- C:\Documents and Settings\Administrator\Desktop\GEARISOBurn.exe
[2010/06/10 23:17:17 | 000,002,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GEAR ISO Burn.lnk
[2010/06/10 22:58:00 | 306,708,552 | ---- | M] (Nero AG) -- C:\Documents and Settings\Administrator\Desktop\Nero-10.0.13100_trial.exe
[2010/06/10 22:21:24 | 307,724,288 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\recovery_nav_x86.iso
[2010/06/10 21:23:14 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/10 20:35:40 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/06/10 20:35:40 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/06/10 20:35:40 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/10 20:35:40 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/10 20:34:17 | 000,000,755 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Norton Installation Files.lnk
[2010/06/10 19:37:59 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/10 19:37:59 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/10 19:37:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/10 19:37:59 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/10 19:37:59 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/10 18:04:04 | 010,584,058 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\river.wav
[2010/06/10 17:51:13 | 009,515,074 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\no mames.wav
[2010/06/10 15:59:58 | 000,098,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 15:12:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 15:10:30 | 000,488,794 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 15:10:30 | 000,432,686 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 15:10:30 | 000,067,516 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/27 17:59:30 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2010/06/13 19:30:32 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/13 18:34:22 | 000,000,223 | ---- | C] () -- C:\Boot.bak
[2010/06/13 18:34:20 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/13 18:32:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/13 18:32:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/13 18:32:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/13 18:32:12 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/13 18:32:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/13 18:29:21 | 003,707,422 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2010/06/13 16:14:00 | 000,618,322 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\Cat.DB
[2010/06/11 22:47:42 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\mo0j38m8.exe
[2010/06/11 21:21:57 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symefa.cat
[2010/06/11 21:21:57 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnetv.cat
[2010/06/11 21:21:57 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtspx.cat
[2010/06/11 21:21:57 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.cat
[2010/06/11 21:21:57 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\iron.cat
[2010/06/11 21:21:57 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symds.cat
[2010/06/11 21:21:57 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\cchpx86.cat
[2010/06/11 21:21:57 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnet.cat
[2010/06/11 21:21:57 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symefa.inf
[2010/06/11 21:21:57 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symds.inf
[2010/06/11 21:21:57 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\cchpx86.inf
[2010/06/11 21:21:57 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnetv.inf
[2010/06/11 21:21:57 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\symnet.inf
[2010/06/11 21:21:57 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtspx.inf
[2010/06/11 21:21:57 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\srtsp.inf
[2010/06/11 21:21:57 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\iron.inf
[2010/06/11 21:21:46 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NAV\1107000.00C\isolate.ini
[2010/06/10 23:16:29 | 000,002,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GEAR ISO Burn.lnk
[2010/06/10 22:20:14 | 307,724,288 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\recovery_nav_x86.iso
[2010/06/10 21:15:58 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/10 20:35:41 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/06/10 20:35:41 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/06/10 20:34:47 | 000,001,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton AntiVirus.LNK
[2010/06/10 18:04:04 | 010,584,058 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\river.wav
[2010/06/10 17:51:12 | 009,515,074 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\no mames.wav
[2009/07/14 23:45:12 | 000,003,604 | ---- | C] () -- C:\WINDOWS\System32\drivers\BS_Flash.sys
[2008/07/02 15:54:49 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/07/02 15:53:17 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2008/07/02 15:51:23 | 000,046,080 | R--- | C] () -- C:\WINDOWS\System32\itevio.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/07/02 15:55:17 | 000,001,300 | ---- | M] () -- C:\ALCSetup.log
[2008/07/02 15:44:17 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/07/02 15:50:39 | 000,000,223 | ---- | M] () -- C:\Boot.bak
[2010/06/13 18:34:22 | 000,000,293 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/06/13 19:24:45 | 000,014,712 | ---- | M] () -- C:\ComboFix.txt
[2008/07/02 15:44:17 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/02 15:44:17 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/07/02 15:44:17 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/07/02 15:55:17 | 000,000,189 | ---- | M] () -- C:\mylog.log
[2004/08/03 23:38:34 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/03/26 17:41:13 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/13 19:38:45 | 1509,949,440 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/07/01 21:30:28 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/07/01 21:30:28 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/07/01 21:30:28 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /180 >
[2010/02/25 19:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\cchpx86.sys
[2010/04/29 00:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\ironx86.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 08:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/04/21 21:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspx.sys
[2009/12/31 11:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/02/03 20:40:47 | 000,328,752 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symds.sys
[2010/04/21 22:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symefa.sys
[2010/06/10 20:35:40 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
[2010/05/05 23:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys
[2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
< End of report >


6.Im not having any problems with the computer :)
  • 0

#15
SweetTech

SweetTech

    Sir SpamAlot

  • Moderator
  • 7,671 posts
Hello,

We are almost done. We just have a few last things to address.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
    :OTL
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2010/06/13 19:29:40 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
    :Files
    C:\WINDOWS\system32\drivers\etc\hosts.msn
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

Advertisement



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured