Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Blinkx and other Redirects

Started by cezar1234 , Jul 08 2010 05:50 PM

This topic is locked

#1
cezar1234

Posted 08 July 2010 - 05:50 PM

Member

Member
45 posts

When I brows in Msn or Yahoo I get redirected me to diffent serch engies that are fake an blinkx. It has increased in frequency. Can anyone help? I have used the standard antivirus I have none seem to help.

#2
mitch8

Posted 08 July 2010 - 05:52 PM

Trusted Helper

Malware Removal
1,356 posts

Hello cezar1234, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:

I am in training and there might be a delay between posts because they have to be check by an expert.
Please post your logs, don't attach them unless stated.
Please read my posts carefully and if you have any questions ask.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "No", save the log and post back the results.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

Step 2

Posted Image

OTL
OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis.

Important note: HijackThis has been replaced by OTL in this guide. Since being acquired by TrendMicro, HijackThis has not been regularly updated. Many infections are now able to hide partly, or completely from a HijackThis scan. OTL is authored by one of our staff members (OldTimer). It includes all the scan locations of HijackThis and more. It's not only a more comprehensive scan tool, but also offers more powerful removal features.

Download OTL to your Desktop
Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.

#3
cezar1234

Posted 08 July 2010 - 07:11 PM

Member

Topic Starter
Member
45 posts

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-08 17:44:15
Windows 5.1.2600 Service Pack 3
Running: 646yqpkv.exe; Driver: C:\DOCUME~1\Cezar\LOCALS~1\Temp\pfloraob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB69D3360, 0x3E57A5, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB646EF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9821 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E42FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4231 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E429C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4102 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4164 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4362 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E41C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED708 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03C5000A
.text C:\WINDOWS\System32\svchost.exe[1096] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D8000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9821 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E42FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4231 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E429C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4102 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4164 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4362 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E41C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED708 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\wuauclt.exe[2320] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\wuauclt.exe[2320] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B9000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9821 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E42FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4231 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E429C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4102 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4164 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4362 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E41C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED708 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9821 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E42FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4231 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E429C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4102 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4164 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4362 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E41C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED708 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E42FF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4231 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E429C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4102 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4164 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4362 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[5868] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E41C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[1376] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3028] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#4
cezar1234

Posted 08 July 2010 - 07:14 PM

Member

Topic Starter
Member
45 posts

Trying to upload my otl scan having troble

#5
mitch8

Posted 08 July 2010 - 07:42 PM

Trusted Helper

Malware Removal
1,356 posts

Can you attach the log?

#6
cezar1234

Posted 08 July 2010 - 09:23 PM

Member

Topic Starter
Member
45 posts

Here is my otl attathhed see if it works

OTL logfile created on: 7/8/2010 5:46:12 PM - Run 1
OTL by OldTimer - Version 3.2.8.1 Folder = C:\Documents and Settings\Cezar\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 44.46 Gb Free Space | 62.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CEZAR-6122A34D3
Current User Name: Cezar
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/06/02 09:36:15 | 002,065,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/06/02 09:36:14 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/06/02 09:36:14 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/06/02 09:35:41 | 000,722,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/02 09:35:40 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/12 10:50:28 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/12 10:49:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/14 03:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 15:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

========== Modules (SafeList) ==========

MOD - [2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
MOD - [2008/04/14 03:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/12 10:50:28 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/12 10:49:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - [2010/06/02 09:36:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/02 09:36:14 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/12 10:49:57 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/24 17:51:43 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/09/27 17:12:22 | 007,655,872 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: ([2008/04/14 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [Corel Photo Downloader] C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe File not found
O4 - HKCU..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {2FF8D282-F78A-4A33-ABC2-49E72A341482} http://riteaid.store...eUpload1_10.CAB (SFImageUpload1_10.ImageUpload)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Cezar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cezar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/24 19:33:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69537929998893056)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/08 16:55:42 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
[2010/07/08 07:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/08 07:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/23 22:54:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/23 22:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/17 08:30:35 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/04/17 08:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Local Settings\Application Data\Identities
[2010/04/11 17:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\My Documents\TurboTax
[2010/04/11 17:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\IsolatedStorage
[2010/04/11 17:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Local Settings\Application Data\Intuit
[2010/04/11 16:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Application Data\Intuit
[2010/04/11 16:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AnswerWorks 5.0
[2010/04/11 16:51:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2010/04/11 16:51:16 | 000,000,000 | ---D | C] -- C:\Program Files\TurboTax
[2010/04/11 16:50:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Intuit
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/08 17:46:02 | 000,012,373 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\When the scan completes.docx
[2010/07/08 17:45:37 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Cezar\NTUSER.DAT
[2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
[2010/07/08 16:53:52 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\646yqpkv.exe
[2010/07/08 10:26:17 | 000,253,748 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/07/08 10:26:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/08 10:26:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/08 10:25:08 | 003,762,034 | -H-- | M] () -- C:\Documents and Settings\Cezar\Local Settings\Application Data\IconCache.db
[2010/07/08 10:24:29 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/08 09:59:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/08 09:14:12 | 061,755,599 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/07 20:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/24 14:31:52 | 000,011,581 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\gil.docx
[2010/06/24 14:31:43 | 000,013,123 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Camping List.docx
[2010/06/23 22:55:13 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/20 18:11:54 | 000,024,073 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Summer Calendar.docx
[2010/06/02 09:36:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/02 09:36:14 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/05/21 14:55:47 | 000,189,692 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The%2520Corn%2520Tortilla[1][1].docx
[2010/05/17 16:23:24 | 000,046,104 | ---- | M] () -- C:\Documents and Settings\Cezar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/17 14:05:16 | 000,000,024 | ---- | M] () -- C:\WINDOWS\herjek.config
[2010/05/08 16:52:39 | 000,010,491 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\biography.docx
[2010/05/04 19:34:21 | 000,010,324 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Cezar Rossel.docx
[2010/05/02 17:35:38 | 000,226,728 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
[2010/05/02 17:35:37 | 000,226,728 | ---- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2010/04/23 15:45:51 | 000,076,297 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The%20Corn%20Tortilla[1].docx
[2010/04/23 11:16:30 | 000,024,402 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Maize work.docx
[2010/04/22 18:29:33 | 000,154,902 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Tortilla 1234.pdf
[2010/04/20 09:18:55 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/17 11:23:16 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Adress labels.doc
[2010/04/17 11:22:38 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Adress labels.doc
[2010/04/15 21:10:12 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/04/14 17:35:04 | 000,146,442 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\2009 Rossel A Form 1040 Individual Tax Return.tax2009.pdf
[2010/04/13 13:59:42 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\U-0087-02_P.doc
[2010/04/12 22:55:17 | 000,014,350 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Origins.docx
[2010/04/12 14:47:47 | 000,057,963 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Train Save The Date.pdf
[2010/04/12 14:45:52 | 001,107,844 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla Second.pptx
[2010/04/12 14:17:44 | 000,040,082 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla.docx
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/08 17:46:02 | 000,012,373 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\When the scan completes.docx
[2010/07/08 16:53:47 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\646yqpkv.exe
[2010/06/24 14:31:51 | 000,011,581 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\gil.docx
[2010/06/23 22:55:13 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/23 22:49:26 | 000,013,123 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Camping List.docx
[2010/06/20 18:11:53 | 000,024,073 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Summer Calendar.docx
[2010/05/20 17:00:48 | 000,189,692 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\The%2520Corn%2520Tortilla[1][1].docx
[2010/05/17 14:05:16 | 000,000,024 | ---- | C] () -- C:\WINDOWS\herjek.config
[2010/05/08 16:52:39 | 000,010,491 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\biography.docx
[2010/05/04 19:34:20 | 000,010,324 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Cezar Rossel.docx
[2010/04/23 10:02:38 | 000,024,402 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Maize work.docx
[2010/04/22 18:29:33 | 000,154,902 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Tortilla 1234.pdf
[2010/04/17 11:23:15 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Adress labels.doc
[2010/04/17 11:22:07 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Adress labels.doc
[2010/04/14 17:35:04 | 000,146,442 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\2009 Rossel A Form 1040 Individual Tax Return.tax2009.pdf
[2010/04/12 22:55:17 | 000,014,350 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Origins.docx
[2010/04/12 14:47:47 | 000,057,963 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Train Save The Date.pdf
[2010/04/12 14:12:07 | 001,107,844 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla Second.pptx
[2010/04/11 16:53:11 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/02/24 16:03:55 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/11/24 19:57:55 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/11/24 20:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/03/31 21:41:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/28 22:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/06 20:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cezar\Application Data\E-centives

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2009/11/24 19:33:53 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/24 19:27:06 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/11/24 19:33:53 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/11/24 21:43:12 | 000,000,016 | ---- | M] () -- C:\h.txt
[2009/11/24 19:33:53 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/11/24 19:33:53 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 03:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 03:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/08 10:26:00 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/11/24 19:33:20 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/04/10 15:02:32 | 000,074,240 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp054.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/11/24 11:12:58 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/11/24 11:12:58 | 002,322,432 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/11/24 11:12:57 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 03:00:00 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 03:00:00 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/14 03:00:00 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >

Attached Files

OTL.Txt 50.89KB 141 downloads

Edited by Essexboy, 09 July 2010 - 12:22 PM.

#7
cezar1234

Posted 08 July 2010 - 09:24 PM

Member

Topic Starter
Member
45 posts

And the other OTL

OTL Extras logfile created on: 7/8/2010 5:46:12 PM - Run 1
OTL by OldTimer - Version 3.2.8.1 Folder = C:\Documents and Settings\Cezar\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 44.46 Gb Free Space | 62.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CEZAR-6122A34D3
Current User Name: Cezar
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Valve\Steam\SteamApps\[email protected]\counter-strike source\hl2.exe" = C:\Program Files\Valve\Steam\SteamApps\[email protected]\counter-strike source\hl2.exe:*:Enabled:Counter-Strike: Source -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam™
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{9FC8D8F8-AF3A-4488-98AF-51C6DEC732F2}" = c3100_Help
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D45EC259-4A19-4656-B588-C2C360DD18EA}" = Half-Life® 2
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DC2FA8DF-25B8-49AC-AEA7-6F4489CC04F7}" = bodybugg Software
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EB8C9964-09AC-48bf-8B98-027609C78251}" = C3100
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG9Uninstall" = AVG Free 9.0
"Belarc Advisor" = Belarc Advisor 8.1
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IE8" = Sereby's Updatepack - IE8 Addon Version 1.0.7
"InstallShield_{DC2FA8DF-25B8-49AC-AEA7-6F4489CC04F7}" = bodybugg Software
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Steam App 10" = Counter-Strike
"Steam App 220" = Half-Life 2
"Steam App 240" = Counter-Strike: Source
"Steam App 400" = Portal
"SystemRequirementsLab" = System Requirements Lab
"TurboTax 2009" = TurboTax 2009
"Windows Media Encoder 9" = Windows Media Encoder 9 Series

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/8/2010 1:23:47 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 7/8/2010 4:14:16 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/8/2010 4:14:16 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 7/8/2010 4:24:17 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/8/2010 4:24:18 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 7/8/2010 6:26:08 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/8/2010 6:26:08 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 7/8/2010 6:36:09 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/8/2010 6:36:09 PM | Computer Name = CEZAR-6122A34D3 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 7/8/2010 8:02:20 PM | Computer Name = CEZAR-6122A34D3 | Source = Application Error | ID = 1000
Description = Faulting application 646yqpkv.exe, version 1.0.15.15281, faulting
module 646yqpkv.exe, version 1.0.15.15281, fault address 0x0005c887.

[ System Events ]
Error - 6/30/2010 9:32:57 PM | Computer Name = CEZAR-6122A34D3 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 6/30/2010 9:32:57 PM | Computer Name = CEZAR-6122A34D3 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 7/8/2010 12:59:37 PM | Computer Name = CEZAR-6122A34D3 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/8/2010 12:59:37 PM | Computer Name = CEZAR-6122A34D3 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/8/2010 1:26:11 PM | Computer Name = CEZAR-6122A34D3 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/8/2010 1:26:11 PM | Computer Name = CEZAR-6122A34D3 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

< End of report >

Attached Files

Extras.Txt 38.34KB 117 downloads

Edited by Essexboy, 09 July 2010 - 12:23 PM.

#8
mitch8

Posted 09 July 2010 - 02:24 PM

Trusted Helper

Malware Removal
1,356 posts

Hi,

Your computer has been infected by a backdoor Trojan. The trojan on your computer steals information such as passwords and other information. Before we can start I recommend to:

Use another, uninfected computer to change all your internet passwords, especially your financial passwords like your banks, pay pal, eBay. Also change the passwords for any other sites that you use.
Closely monitor all bank and credit card statements. If you see anything wrong call your financial companies and tell them that your account may have been stolen and ask what you can do.
If you do think that you are a victim of identity theft you can go to Defend: Recover From Identity Theft to learn more.
If you want to learn more about backdoor Trojans you can go to: What is a backdoor Trojan?

Step 1

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra64.exe) - C:\WINDOWS\System32\sdra64.exe File not found
[2010/05/17 08:30:35 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\lowsec
[2010/05/17 14:05:16 | 000,000,024 | ---- | M] () -- C:\WINDOWS\herjek.config
[2010/05/02 17:35:38 | 000,226,728 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
[2010/05/02 17:35:37 | 000,226,728 | ---- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Step 2

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

#9
cezar1234

Posted 09 July 2010 - 04:50 PM

Member

Topic Starter
Member
45 posts

Thanks will do today will takea while to change all my passwords.

#10
cezar1234

Posted 09 July 2010 - 04:55 PM

Member

Topic Starter
Member
45 posts

Is it really important to change my passwords first or can i go ahead and chnage them later?

#11
mitch8

Posted 09 July 2010 - 04:57 PM

Trusted Helper

Malware Removal
1,356 posts

Why change all the pass words first? Just wondering

If the trojan stole your passwords it is important that you change them so the malware writer doesn't have access to your online accounts. It is important to do this on another computer that isn't infected so the trojan doesn't steal your new passwords.

#12
cezar1234

Posted 09 July 2010 - 05:04 PM

Member

Topic Starter
Member
45 posts

I understnd that. I have another computer that is not infected. Do i need to do it before i fix this computer?

#13
mitch8

Posted 09 July 2010 - 05:20 PM

Trusted Helper

Malware Removal
1,356 posts

You don't have to change your passwords first. It's just recommended in case you online bank or have another online account that you want to make sure is safe.

#14
cezar1234

Posted 09 July 2010 - 08:33 PM

Member

Topic Starter
Member
45 posts

OTL logfile created on: 7/9/2010 7:27:25 PM - Run 2
OTL by OldTimer - Version 3.2.8.1 Folder = C:\Documents and Settings\Cezar\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 47.71 Gb Free Space | 67.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CEZAR-6122A34D3
Current User Name: Cezar
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/09 08:46:48 | 000,074,752 | -HS- | M] (Jznof) -- C:\Documents and Settings\Cezar\Application Data\SystemProc\lsass.exe
PRC - [2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/06/02 09:36:15 | 002,065,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/06/02 09:36:14 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/06/02 09:36:14 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/06/02 09:35:41 | 000,722,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/06/02 09:35:40 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/05/07 08:02:12 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files\Valve\Steam\steam.exe
PRC - [2010/03/12 10:50:28 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/03/12 10:49:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/14 03:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2004/10/14 15:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

========== Modules (SafeList) ==========

MOD - [2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
MOD - [2008/04/14 03:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/12 10:50:28 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/03/12 10:49:57 | 000,916,760 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2006/03/03 22:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)

========== Driver Services (SafeList) ==========

DRV - [2010/06/02 09:36:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/06/02 09:36:14 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/12 10:49:57 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/24 17:51:43 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2009/09/27 17:12:22 | 007,655,872 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[2010/07/09 08:46:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/09 08:46:55 | 000,000,000 | ---D | M] (Firefox security) -- C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

O1 HOSTS File: ([2008/04/14 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [Corel Photo Downloader] C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe File not found
O4 - HKCU..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Cezar\Application Data\SystemProc\lsass.exe (Jznof)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {2FF8D282-F78A-4A33-ABC2-49E72A341482} http://riteaid.store...eUpload1_10.CAB (SFImageUpload1_10.ImageUpload)
O16 - DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\Cezar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cezar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/24 19:33:53 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/09 19:24:31 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/09 08:46:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Cezar\Application Data\SystemProc
[2010/07/09 08:46:55 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/07/09 03:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/08 16:55:42 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
[2010/07/08 07:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/08 07:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/23 22:54:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/23 22:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/17 08:56:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Local Settings\Application Data\Identities
[2010/04/11 17:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\My Documents\TurboTax
[2010/04/11 17:08:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\IsolatedStorage
[2010/04/11 17:08:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Local Settings\Application Data\Intuit
[2010/04/11 16:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cezar\Application Data\Intuit
[2010/04/11 16:55:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AnswerWorks 5.0
[2010/04/11 16:51:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2010/04/11 16:51:16 | 000,000,000 | ---D | C] -- C:\Program Files\TurboTax
[2010/04/11 16:50:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Intuit

========== Files - Modified Within 90 Days ==========

[2010/07/09 19:27:09 | 000,253,748 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/07/09 19:26:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/09 19:26:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/09 19:25:33 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Cezar\NTUSER.DAT
[2010/07/09 18:42:55 | 061,808,162 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/07/09 14:27:26 | 003,762,842 | -H-- | M] () -- C:\Documents and Settings\Cezar\Local Settings\Application Data\IconCache.db
[2010/07/09 03:31:05 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/08 18:05:07 | 000,029,727 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\When the scan completes.docx
[2010/07/08 16:55:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cezar\Desktop\OTL.exe
[2010/07/08 16:53:52 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\646yqpkv.exe
[2010/07/08 10:24:29 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/08 09:59:28 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/07 20:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/24 14:31:52 | 000,011,581 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\gil.docx
[2010/06/24 14:31:43 | 000,013,123 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Camping List.docx
[2010/06/23 22:55:13 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/20 18:11:54 | 000,024,073 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Summer Calendar.docx
[2010/06/02 09:36:14 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/06/02 09:36:14 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/05/21 14:55:47 | 000,189,692 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The%2520Corn%2520Tortilla[1][1].docx
[2010/05/17 16:23:24 | 000,046,104 | ---- | M] () -- C:\Documents and Settings\Cezar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/08 16:52:39 | 000,010,491 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\biography.docx
[2010/05/04 19:34:21 | 000,010,324 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Cezar Rossel.docx
[2010/04/23 15:45:51 | 000,076,297 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The%20Corn%20Tortilla[1].docx
[2010/04/23 11:16:30 | 000,024,402 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Maize work.docx
[2010/04/22 18:29:33 | 000,154,902 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Tortilla 1234.pdf
[2010/04/20 09:18:55 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/17 11:23:16 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Adress labels.doc
[2010/04/17 11:22:38 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Adress labels.doc
[2010/04/15 21:10:12 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/04/14 17:35:04 | 000,146,442 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\2009 Rossel A Form 1040 Individual Tax Return.tax2009.pdf
[2010/04/13 13:59:42 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\U-0087-02_P.doc
[2010/04/12 22:55:17 | 000,014,350 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\Origins.docx
[2010/04/12 14:47:47 | 000,057,963 | ---- | M] () -- C:\Documents and Settings\Cezar\Desktop\Train Save The Date.pdf
[2010/04/12 14:45:52 | 001,107,844 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla Second.pptx
[2010/04/12 14:17:44 | 000,040,082 | ---- | M] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla.docx

========== Files Created - No Company Name ==========

[2010/07/08 17:46:02 | 000,029,727 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\When the scan completes.docx
[2010/07/08 16:53:47 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\646yqpkv.exe
[2010/06/24 14:31:51 | 000,011,581 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\gil.docx
[2010/06/23 22:55:13 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/23 22:49:26 | 000,013,123 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Camping List.docx
[2010/06/20 18:11:53 | 000,024,073 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Summer Calendar.docx
[2010/05/20 17:00:48 | 000,189,692 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\The%2520Corn%2520Tortilla[1][1].docx
[2010/05/08 16:52:39 | 000,010,491 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\biography.docx
[2010/05/04 19:34:20 | 000,010,324 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Cezar Rossel.docx
[2010/04/23 10:02:38 | 000,024,402 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Maize work.docx
[2010/04/22 18:29:33 | 000,154,902 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Tortilla 1234.pdf
[2010/04/17 11:23:15 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Adress labels.doc
[2010/04/17 11:22:07 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Adress labels.doc
[2010/04/14 17:35:04 | 000,146,442 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\2009 Rossel A Form 1040 Individual Tax Return.tax2009.pdf
[2010/04/12 22:55:17 | 000,014,350 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\Origins.docx
[2010/04/12 14:47:47 | 000,057,963 | ---- | C] () -- C:\Documents and Settings\Cezar\Desktop\Train Save The Date.pdf
[2010/04/12 14:12:07 | 001,107,844 | ---- | C] () -- C:\Documents and Settings\Cezar\My Documents\The Corn Tortilla Second.pptx
[2010/04/11 16:53:11 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2009.lnk
[2010/02/24 16:03:55 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2009/11/24 19:57:55 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/11/24 20:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/03/31 21:41:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/28 22:22:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/12/06 20:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cezar\Application Data\E-centives
[2010/07/09 08:46:56 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Cezar\Application Data\SystemProc

========== Purity Check ==========

< End of report >

#15
cezar1234

Posted 09 July 2010 - 08:34 PM

Member

Topic Starter
Member
45 posts

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\sdra64.exe deleted successfully.
C:\WINDOWS\System32\lowsec folder moved successfully.
C:\WINDOWS\herjek.config moved successfully.
C:\WINDOWS\cpnprt2.cid moved successfully.
C:\WINDOWS\system32\cpnprt2.cid moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Cezar
->Temp folder emptied: 485928855 bytes
->Temporary Internet Files folder emptied: 287621631 bytes
->Java cache emptied: 7286456 bytes
->Flash cache emptied: 40661 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134447 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5369626 bytes
->Java cache emptied: 15 bytes
->Flash cache emptied: 11214 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 69715977 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 819.00 mb

[EMPTYFLASH]