Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirect Virus


  • Please log in to reply

#1
firegypsysasha

firegypsysasha

    Member

  • Member
  • PipPip
  • 15 posts
Okay so I have had this problem with google redirecting anything I search to random pages. My computer is running extremely slow and I am worried that it is just going to get worse. I have tried all my spyware and antivirus programs with no luck and I have no idea how to remove it. I just downloaded Hijack this and this is my log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:18:28 PM, on 10/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17091)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\xampp\mysql\bin\mysqld.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"
O4 - HKLM\..\Run: [HKLM] C:\WINDOWS\system32\Java\javaupdate.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EPSON WorkForce 30 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEA.EXE /FU "C:\WINDOWS\TEMP\E_S4F6.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZE18MW23GY] C:\DOCUME~1\FIREGY~1\LOCALS~1\Temp\Wpk.exe
O4 - HKCU\..\Run: [HKCU] C:\WINDOWS\system32\Java\javaupdate.exe
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\Java\javaupdate.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\Java\javaupdate.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1229907710605
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A99711-1C25-4A54-AED4-5093C5AFF9D4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B963B85-F924-40F3-B661-4D3288FADB1E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8497 bytes
  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello firegypsysasha,

Welcome to Geekstogo.

You may have used Malwarebytes before. If you have, and still have it on your machine, please update and run. Post the scan report back here.

If you do not have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.

    o When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post back here.
So when you return please post
  • MBAM log
  • the two OTL logs - OTL.txt and Extras.txt


Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine. :D
  • 0

#3
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay so here is my malwarebytes report.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4865

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/17/2010 9:51:46 PM
mbam-log-2010-10-17 (21-51-46).txt

Scan type: Quick scan
Objects scanned: 145887
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\10DPP6O2VE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ZE18MW23GY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hkcu (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ze18mw23gy (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\policies (Backdoor.SpyNet.M) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hklm (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-343818398-1275210071-682003330-1005\Dc15.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Documents and Settings\Fire Gypsy\Local Settings\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



OTL log

OTL logfile created on: 10/17/2010 10:03:40 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 123.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 0.42 Gb Free Space | 1.13% Space Free | Partition Type: NTFS
Drive D: | 107.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SASHA | User Name: Fire Gypsy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
PRC - [2010/05/12 18:57:50 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/12/22 10:04:56 | 000,382,384 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2008/12/22 00:31:30 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\apache.exe
PRC - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
PRC - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
PRC - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/06/12 14:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/28 12:23:44 | 005,527,040 | ---- | M] (Linksys) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
PRC - [2005/07/04 17:46:04 | 000,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe


========== Modules (SafeList) ==========

MOD - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe WUSB54GC.exe -- (WUSB54GCSVC)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\xampp\apache\bin\apache.exe -- (Apache2.2)
SRV - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () [Auto | Running] -- C:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2008/11/10 12:35:36 | 000,587,776 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)


========== Driver Services (SafeList) ==========

DRV - [2009/05/27 21:27:18 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/27 21:26:56 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/27 21:26:53 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2009/02/21 02:43:59 | 000,027,136 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/11/24 20:51:38 | 000,245,248 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/08/03 18:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/09/25 23:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)
DRV - [2003/08/11 10:07:46 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/03/05 12:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2001/08/17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 08:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/12/22 00:31:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 18:58:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/20 22:38:31 | 000,000,000 | ---D | M]

[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions
[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions\[email protected]
[2010/10/17 22:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions
[2009/09/04 03:59:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/25 21:45:55 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/18 16:53:59 | 000,000,000 | ---D | M] (Fast Video Download) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
[2009/08/11 12:11:36 | 000,000,000 | ---D | M] (Bazzacuda Image Saver Plus) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}
[2010/06/21 18:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/08/12 14:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/02/16 20:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/06/21 18:02:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/10/16 21:30:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/17 22:19:21 | 000,416,685 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14383 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [EPSON WorkForce 30 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Fire Gypsy\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1229907710605 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/21 20:57:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell - "" = AutoRun
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.at3 - C:\WINDOWS\System32\atrac3.acm ()
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Packed With Joy !)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.hfyu - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.vp60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.vp62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: wave - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/14 03:24:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/10/13 19:09:28 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/10/13 19:09:28 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/10/13 19:08:50 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/09/21 14:35:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Fire Gypsy\Application Data\Malwarebytes
[2010/09/21 14:32:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/21 14:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/21 14:32:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/21 14:32:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/18 12:23:26 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42u.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/17 21:59:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/17 21:56:14 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/10/17 21:56:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/10/17 21:55:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/17 21:54:55 | 669,896,704 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/17 04:19:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/10/15 13:40:46 | 000,011,896 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/10/15 13:40:46 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/14 03:57:00 | 000,197,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/14 03:38:35 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/14 03:21:22 | 000,000,175 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/10/08 03:19:34 | 000,523,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/08 03:19:34 | 000,094,604 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/05 23:19:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/01 18:12:19 | 000,138,752 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/29 20:21:01 | 000,331,776 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:39:23 | 000,001,484 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Desktop\DivX Movies.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/09/18 12:23:26 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc42u.dll
[2010/09/18 12:23:26 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42u.dll
[2010/09/18 02:53:25 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc42.dll
[2010/09/18 02:53:25 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/09/18 02:53:25 | 000,954,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc40.dll
[2010/09/18 02:53:25 | 000,954,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40.dll
[2010/09/18 02:53:25 | 000,953,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mfc40u.dll
[2010/09/18 02:53:25 | 000,953,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/15 13:40:46 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/15 13:40:45 | 000,011,896 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/09/29 20:20:48 | 000,331,776 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/08/12 03:41:13 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/09/24 15:30:45 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/24 15:29:53 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF30.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/19 01:04:13 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2009/06/19 01:04:13 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2009/06/19 01:04:13 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2009/02/09 21:36:44 | 000,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 16:41:02 | 000,000,022 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/01/29 13:52:00 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/19 21:32:48 | 000,138,752 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/28 12:59:44 | 004,377,500 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/28 11:51:00 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/28 11:50:50 | 000,145,609 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2008/12/28 11:49:08 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/27 21:24:51 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/12/27 21:24:26 | 000,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/12/21 15:43:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/12/12 12:57:38 | 000,142,848 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2008/12/09 14:57:26 | 000,183,296 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2008/12/09 14:57:18 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2008/12/09 14:57:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2008/12/09 14:56:42 | 000,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2008/12/09 14:56:34 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2008/12/09 14:56:22 | 000,485,888 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2008/12/08 09:37:04 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/08 09:34:42 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/12/08 08:53:40 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/08 08:53:32 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/04 17:46:08 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/26 15:55:22 | 000,683,520 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2008/11/26 14:49:10 | 000,238,080 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/29 11:42:22 | 000,245,248 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2008/03/29 11:42:20 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2008/03/29 11:42:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2008/03/29 11:42:08 | 000,148,992 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2008/03/29 11:42:04 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2008/03/29 11:42:04 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2008/03/29 11:42:02 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2008/03/29 11:42:00 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2008/03/29 11:41:54 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2008/03/29 11:41:52 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2008/03/29 11:41:52 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2007/10/13 05:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/12/21 20:57:36 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/12/21 20:50:23 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/12/21 20:57:36 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/10/17 21:54:55 | 669,896,704 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/21 20:57:36 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/12/21 20:57:36 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/12/21 22:03:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/17 21:54:53 | 1006,632,960 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/12/21 15:38:55 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/12/21 15:38:55 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/12/21 15:38:55 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-10-14 07:39:40

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >


Extras

OTL Extras logfile created on: 10/17/2010 10:03:40 PM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 123.00 Mb Available Physical Memory | 19.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 0.42 Gb Free Space | 1.13% Space Free | Partition Type: NTFS
Drive D: | 107.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SASHA | User Name: Fire Gypsy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.js [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.txt [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\e frontier\Poser 7\Poser.exe" = C:\Program Files\e frontier\Poser 7\Poser.exe:*:Enabled:Poser executable file -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\xampp\apache\bin\apache.exe" = C:\xampp\apache\bin\apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\xampp\MercuryMail\mercury.exe" = C:\xampp\MercuryMail\mercury.exe:*:Enabled:Mercury/32 Core Processing Module v4.52 -- (David Harris)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07EF3970-F8E5-4A27-A5A3-230484D35026}" = Microsoft Expression Encoder 4
"{084709F7-38C5-4609-B55F-2417939315EB}" = Adobe Premiere Pro
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{856C155E-4A74-4041-B026-04F96FFD1BCD}" = ZIP Reader 8.00.0018
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_WORD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_WORD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_WORD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_WORD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{BB81360F-041C-4CF7-B15E-71380D154244}" = Adobe Setup
"{BF127B80-CFD5-4379-9752-E8AF1A5D0141}" = Microsoft Expression Encoder 4 Screen Capture Codec
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F855C3AE-992D-4B84-A09D-07103CDCDAC2}" = Compact Wireless-G USB Adapter
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe_32fdd767b4383606e8168e834af5d90" = Adobe Premiere Pro CS3
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"AVIcodec" = AVIcodec (remove only)
"BitZipper_is1" = BitZipper 2009
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DebugMode Wax 2.0" = DebugMode Wax 2.0
"D-i-v-X - AVI Codec Pack Pro" = D-i-v-X AVI Codec Pack Pro 2.2.0
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX Setup
"Encoder_4.0.1639.0" = Microsoft Expression Encoder 4
"EPSON WorkForce 30 Series" = EPSON WorkForce 30 Series Printer Uninstall
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = CyberLink PowerDirector
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.5.3 (Full)
"Magic ISO Maker v5.5 (build 0273)" = Magic ISO Maker v5.5 (build 0273)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OJOsoft Total Video Converter_is1" = OJOsoft Total Video Converter
"QuicktimeAlt_is1" = QuickTime Alternative 3.0.1
"RealPlayer 6.0" = RealPlayer
"Silent Package Run-Time Sample" = WorkForce 30 Series Info Center
"SoundTap" = SoundTap Streaming Audio Recorder
"TempoPerfect" = TempoPerfect
"Win AVI HelixSDK_is1" = Win AVI HelixSDK
"WinAVI Video Converter_is1" = WinAVI Video Converter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WORD" = Microsoft Office Word 2007
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xampp" = XAMPP 1.7.0
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"Zulu" = Zulu DJ Software
"Zwei-Stein_is1" = Zwei-Stein Video Compositor 3.01 (Beta 2).

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/21/2009 3:10:00 AM | Computer Name = SASHA | Source = MsiInstaller | ID = 11307
Description = Product: Microsoft Office Word 2007 -- Error 1307.There is not enough
disk space to install this file: C:\Program Files\Microsoft Office\Office12\WWLIB.DLL.
Free some disk space and click 'Retry', or click 'Cancel' to exit.

Error - 10/21/2009 3:10:45 AM | Computer Name = SASHA | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Word 2007 - Update 'Microsoft Office 2007
Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer
can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

Error - 11/4/2009 7:35:43 PM | Computer Name = SASHA | Source = Application Error | ID = 1000
Description = Faulting application yahoomessenger.exe, version 9.0.0.2162, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x0004d797.

Error - 11/9/2009 7:58:01 PM | Computer Name = SASHA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\FIRE GYPSY\MY DOCUMENTS\MY VIDEOS\SNE
TIKI BAR.MSWMM> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 11/11/2009 5:59:48 PM | Computer Name = SASHA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\FIRE GYPSY\RECENT\BLUEHAIRSARA.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 11/11/2009 5:59:48 PM | Computer Name = SASHA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\FIRE GYPSY\RECENT\BLUEHAIRSARA.LNK>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 10/16/2010 7:26:24 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Dnscache service.

Error - 10/17/2010 8:15:25 PM | Computer Name = SASHA | Source = Dhcp | ID = 1002
Description = The IP address lease 0.0.0.0 for the Network Card with network address
001C106B2D6B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a
DHCPNACK message).

Error - 10/17/2010 9:55:23 PM | Computer Name = SASHA | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 10/17/2010 9:55:23 PM | Computer Name = SASHA | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 10/17/2010 9:59:04 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7022
Description = The Windows Search service hung on starting.

Error - 10/17/2010 9:59:04 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 10/17/2010 9:59:04 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 10/17/2010 9:59:04 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 10/17/2010 9:59:05 PM | Computer Name = SASHA | Source = DCOM | ID = 10005
Description = DCOM got error "%1055" attempting to start the service winmgmt with
arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Error - 10/17/2010 9:59:34 PM | Computer Name = SASHA | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Search service, but
this action failed with the following error: %%1056


< End of report >



Also, I got this message when scanning with OTL.

"Exception Processing Message c0000013 Paramaters 75b6bf7c 4 75b6bf7c 75b6bf7c"
  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello firegypsysasha,

Tell me did you put these on your computer?

FF - prefs.js..extensions.enabledItems: [email protected]:1.4
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071101000055

Please run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080
    FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell - "" = AutoRun
    O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.
After that

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

When you return please post
  • OTL fix log
  • ComboFix.txt

  • 0

#5
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
OTL log

OTL logfile created on: 10/18/2010 12:56:28 PM - Run 2
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 146.00 Mb Available Physical Memory | 23.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 52.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 0.37 Gb Free Space | 1.00% Space Free | Partition Type: NTFS
Drive D: | 107.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SASHA | User Name: Fire Gypsy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
PRC - [2010/05/12 18:57:50 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/12/22 10:04:56 | 000,382,384 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2008/12/22 00:31:30 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\apache.exe
PRC - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
PRC - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
PRC - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/06/12 14:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/28 12:23:44 | 005,527,040 | ---- | M] (Linksys) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
PRC - [2005/07/04 17:46:04 | 000,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe


========== Modules (SafeList) ==========

MOD - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe WUSB54GC.exe -- (WUSB54GCSVC)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\xampp\apache\bin\apache.exe -- (Apache2.2)
SRV - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () [Auto | Running] -- C:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2008/11/10 12:35:36 | 000,587,776 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)


========== Driver Services (SafeList) ==========

DRV - [2009/05/27 21:27:18 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/27 21:26:56 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/27 21:26:53 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2009/02/21 02:43:59 | 000,027,136 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/11/24 20:51:38 | 000,245,248 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/08/03 18:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/09/25 23:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)
DRV - [2003/08/11 10:07:46 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/03/05 12:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2001/08/17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 08:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/12/22 00:31:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 18:58:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/20 22:38:31 | 000,000,000 | ---D | M]

[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions
[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions\[email protected]
[2010/10/17 22:00:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions
[2009/09/04 03:59:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/25 21:45:55 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/18 16:53:59 | 000,000,000 | ---D | M] (Fast Video Download) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
[2009/08/11 12:11:36 | 000,000,000 | ---D | M] (Bazzacuda Image Saver Plus) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}
[2010/06/21 18:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/08/12 14:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/02/16 20:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/06/21 18:02:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/10/16 21:30:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/17 22:19:21 | 000,416,685 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14383 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [EPSON WorkForce 30 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Fire Gypsy\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1229907710605 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/21 20:57:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell - "" = AutoRun
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/14 03:24:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/10/13 19:09:28 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/10/13 19:09:28 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/10/13 19:08:50 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/09/21 14:35:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Fire Gypsy\Application Data\Malwarebytes
[2010/09/21 14:32:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/21 14:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/21 14:32:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/21 14:32:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/17 21:59:06 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/17 21:56:14 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/10/17 21:56:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/10/17 21:55:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/17 21:54:55 | 669,896,704 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/17 04:19:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2010/10/15 13:40:46 | 000,011,896 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/10/15 13:40:46 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/14 03:57:00 | 000,197,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/14 03:38:35 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/14 03:21:22 | 000,000,175 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/10/08 03:19:34 | 000,523,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/08 03:19:34 | 000,094,604 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/05 23:19:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/01 18:12:19 | 000,138,752 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/29 20:21:01 | 000,331,776 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:39:23 | 000,001,484 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Desktop\DivX Movies.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/15 13:40:46 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/15 13:40:45 | 000,011,896 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/09/29 20:20:48 | 000,331,776 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/08/12 03:41:13 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/09/24 15:30:45 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/24 15:29:53 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF30.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/19 01:04:13 | 000,000,112 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2009/06/19 01:04:13 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2009/06/19 01:04:13 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2009/02/09 21:36:44 | 000,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 16:41:02 | 000,000,022 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/01/29 13:52:00 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/19 21:32:48 | 000,138,752 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/28 12:59:44 | 004,377,500 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/28 11:51:00 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/28 11:50:50 | 000,145,609 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2008/12/28 11:49:08 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/27 21:24:51 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/12/27 21:24:26 | 000,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/12/21 15:43:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/12/12 12:57:38 | 000,142,848 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2008/12/09 14:57:26 | 000,183,296 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2008/12/09 14:57:18 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2008/12/09 14:57:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2008/12/09 14:56:42 | 000,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2008/12/09 14:56:34 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2008/12/09 14:56:22 | 000,485,888 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2008/12/08 09:37:04 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/08 09:34:42 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/12/08 08:53:40 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/08 08:53:32 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/04 17:46:08 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/26 15:55:22 | 000,683,520 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2008/11/26 14:49:10 | 000,238,080 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/29 11:42:22 | 000,245,248 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2008/03/29 11:42:20 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2008/03/29 11:42:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2008/03/29 11:42:08 | 000,148,992 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2008/03/29 11:42:04 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2008/03/29 11:42:04 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2008/03/29 11:42:02 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2008/03/29 11:42:00 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2008/03/29 11:41:54 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2008/03/29 11:41:52 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2008/03/29 11:41:52 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2007/10/13 05:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== Custom Scans ==========


< :OTL >

< IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080 >

< FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0 >

< O4 - HKLM..\Run: [KernelFaultCheck] File not found >

< O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell - "" = AutoRun >

< O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun - "" = Auto&Play >

< O33 - MountPoints2\{798efbd3-bf9f-11de-87fb-0008a10c6885}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found >

< O34 - HKLM BootExecute: (autocheck autochk *) - File not found >

< >

< :Commands >

< [purity] >

< [emptytemp] >

< [emptyflash] >

< [Reboot] >

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >







Combofix log

ComboFix 10-10-17.04 - Fire Gypsy 10/18/2010 13:55:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.243 [GMT -4:00]
Running from: c:\documents and settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\nvDrv.sy

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack :D
.
((((((((((((((((((((((((( Files Created from 2010-09-18 to 2010-10-18 )))))))))))))))))))))))))))))))
.

2010-10-18 17:08 . 2010-10-18 17:10 -------- d-----w- c:\windows\system32\NtmsData
2010-10-13 23:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 23:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 23:08 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-09-21 18:35 . 2010-09-21 18:35 -------- d-----w- c:\documents and settings\Fire Gypsy\Application Data\Malwarebytes
2010-09-21 18:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 18:32 . 2010-09-21 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-21 18:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 18:32 . 2010-09-21 18:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-22 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-09-05 417792]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

c:\documents and settings\Fire Gypsy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\xampp\\MercuryMail\\mercury.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-10-18 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
TCP: {37A99711-1C25-4A54-AED4-5093C5AFF9D4} = 208.67.220.220,208.67.222.222
TCP: {8B963B85-F924-40F3-B661-4D3288FADB1E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Fire Gypsy\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
.txt=
.
.
Completion time: 2010-10-18 14:09:12
ComboFix-quarantined-files.txt 2010-10-18 18:09

Pre-Run: 1,010,401,280 bytes free
Post-Run: 1,657,131,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 689BDE1456728BC3BFD7E6C88F6B4728
  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hi firegypsysasha,

I am wondering about the answer to my question, in particular these two:

[email protected]:1.4
[email protected]:2.0.6

Do those mean anything to you? :D

Tell me when you return.

For now

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :file
    gvtl.dll
    :regfind
    Gamevance
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
  • 0

#7
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Oh yeah forgot about that question. One of those I know is a firefox addon for doanloading youtube or similar videos in flash or MP4 format. The other one I am not sure, I have a few addons. I also just found one when looking through them which was Gamevance textlinks while I did not download. I just clicked uninstall

SystemLook 04.09.10 by jpshortstuff
Log created at 17:57 on 18/10/2010 by Fire Gypsy
Administrator - Elevation successful

========== file ==========

gvtl.dll - Unable to find/read file.

========== regfind ==========

Searching for "Gamevance"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\SetupGamevance.exe"="SetupGamevance"
[HKEY_USERS\S-1-5-21-343818398-1275210071-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\SetupGamevance.exe"="SetupGamevance"

-= EOF =-
  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts

which was Gamevance textlinks while I did not download. I just clicked uninstall


Sometimes that one is hard to remove. Let' just check to see if it has gone.

Please run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
    "C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\SetupGamevance.exe"=-
    [HKEY_USERS\S-1-5-21-343818398-1275210071-682003330-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
    "C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\SetupGamevance.exe"=-
    
    :Files
    C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\SetupGamevance.exe
    
    :Commands
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
Next

  • Close all windows and open OTL again.
  • Click Run Scan and let the program run uninterrupted
  • It will produce a log for you. Post the log here.

  • 0

#9
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay I dont think the problem is solved. I checked my addons for firefox, and the gamevance textlinks is still there. So I clicked uninstall again and restarted firefox and it is STILL there. Also, my internet keeps cutting out and not working for no reason and this popped up with my avira
"C:\system volume information\...\A0054820.exe
Is the TR/Dropper.Gen Trojan"

This is my OTL log after doing the fix restart and scan.

Edited by firegypsysasha, 18 October 2010 - 08:51 PM.

  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hi firegypsysasha,

I take it that the OTL log is still coming. :D
  • 0

Advertisements


#11
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Oops I could have sworn I pasted it lol! Here it is.


OTL logfile created on: 10/18/2010 10:31:37 PM - Run 3
OTL by OldTimer - Version 3.2.15.2 Folder = C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 179.00 Mb Available Physical Memory | 28.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 1.58 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Drive D: | 107.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SASHA | User Name: Fire Gypsy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
PRC - [2010/05/12 18:57:50 | 000,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/12/22 00:31:30 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\apache.exe
PRC - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
PRC - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
PRC - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/06/12 14:43:30 | 000,053,505 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardgui.exe
PRC - [2008/06/12 14:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/28 12:23:44 | 005,527,040 | ---- | M] (Linksys) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
PRC - [2005/07/04 17:46:04 | 000,053,307 | ---- | M] (GEMTEKS) -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe


========== Modules (SafeList) ==========

MOD - [2010/10/17 22:02:39 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Running] -- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe WUSB54GC.exe -- (WUSB54GCSVC)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/12/09 19:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\xampp\apache\bin\apache.exe -- (Apache2.2)
SRV - [2008/11/15 00:53:14 | 006,447,744 | ---- | M] () [Auto | Running] -- C:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2008/11/10 12:35:36 | 000,587,776 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/10/15 14:31:53 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/10/15 14:30:02 | 000,151,297 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2008/09/10 14:01:28 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\FIREGY~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2009/05/27 21:27:18 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/27 21:26:56 | 000,052,056 | ---- | M] (Avira GmbH) [File_System | On_Demand | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/27 21:26:53 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2009/02/21 02:43:59 | 000,027,136 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2005/11/24 20:51:38 | 000,245,248 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/08/03 18:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/09/25 23:15:32 | 000,015,872 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\GTNDIS5.sys -- (GTNDIS5)
DRV - [2003/08/11 10:07:46 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/03/05 12:19:28 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT)
DRV - [2001/08/17 12:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 08:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 127.0.0.1:8080

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.4
FF - prefs.js..extensions.enabledItems: [email protected]:2.0.6
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071101000055
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.type: 4


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/12/22 00:31:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/12 18:58:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/20 22:38:31 | 000,000,000 | ---D | M]

[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions
[2009/03/30 23:55:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions\[email protected]
[2010/10/18 22:30:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions
[2009/09/04 03:59:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/25 21:45:55 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/06/18 16:53:59 | 000,000,000 | ---D | M] (Fast Video Download) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
[2009/08/11 12:11:36 | 000,000,000 | ---D | M] (Bazzacuda Image Saver Plus) -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\{FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}
[2010/06/21 18:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/08/12 14:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2009/02/16 20:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/06/21 18:02:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]
[2010/10/18 22:30:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/10/18 14:04:14 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\Fire Gypsy\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1229907710605 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/21 20:57:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/18 21:48:41 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/10/18 13:37:48 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/10/18 13:31:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/10/18 13:31:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/10/18 13:31:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/10/18 13:31:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/10/18 13:29:43 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/18 13:14:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/18 13:12:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/18 13:08:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/10/14 03:24:03 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/10/13 19:09:28 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
[2010/10/13 19:09:28 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
[2010/10/13 19:08:50 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
[2010/09/21 14:35:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Fire Gypsy\Application Data\Malwarebytes
[2010/09/21 14:32:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/21 14:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/21 14:32:06 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/21 14:32:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/18 22:07:59 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/10/18 22:07:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/18 22:05:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/18 22:05:46 | 669,896,704 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/18 14:04:14 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/18 13:38:09 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/10/15 13:40:46 | 000,011,896 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/10/15 13:40:46 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/14 03:57:00 | 000,197,752 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/14 03:38:35 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/14 03:21:22 | 000,000,175 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/10/08 03:19:34 | 000,523,196 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/08 03:19:34 | 000,094,604 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/05 23:19:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/01 18:12:19 | 000,138,752 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/29 20:21:01 | 000,331,776 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:39:23 | 000,001,484 | ---- | M] () -- C:\Documents and Settings\Fire Gypsy\Desktop\DivX Movies.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/18 13:38:07 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/10/18 13:37:53 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/10/18 13:31:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/10/18 13:31:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/10/18 13:31:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/10/18 13:31:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/10/18 13:31:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/10/15 13:40:46 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\~$rformance Agreement.docx
[2010/10/15 13:40:45 | 000,011,896 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\Performance Agreement.docx
[2010/09/29 20:20:48 | 000,331,776 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\My Documents\ETM Application_Sasha Gaulin.doc
[2010/09/21 14:32:48 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/20 22:37:30 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/08/12 03:41:13 | 000,000,175 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/09/24 15:30:45 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/09/24 15:29:53 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF30.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/09 21:36:44 | 000,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/02/03 16:41:02 | 000,000,022 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/01/29 13:52:00 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/01/19 21:32:48 | 000,138,752 | ---- | C] () -- C:\Documents and Settings\Fire Gypsy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/28 12:59:44 | 004,377,500 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/28 11:51:00 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/28 11:50:50 | 000,145,609 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2008/12/28 11:49:08 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/27 21:24:51 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/12/27 21:24:26 | 000,001,361 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI
[2008/12/21 15:43:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/12/12 12:57:38 | 000,142,848 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2008/12/09 14:57:26 | 000,183,296 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2008/12/09 14:57:18 | 000,178,688 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2008/12/09 14:57:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2008/12/09 14:56:42 | 000,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_tremor.dll
[2008/12/09 14:56:34 | 000,257,024 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2008/12/09 14:56:22 | 000,485,888 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2008/12/08 09:37:04 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/08 09:34:42 | 000,795,648 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/12/08 08:53:40 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/08 08:53:32 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/04 17:46:08 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/11/26 15:55:22 | 000,683,520 | ---- | C] () -- C:\WINDOWS\System32\ff_kernelDeint.dll
[2008/11/26 14:49:10 | 000,238,080 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/29 11:42:22 | 000,245,248 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2008/03/29 11:42:20 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\mmfinfo.dll
[2008/03/29 11:42:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2008/03/29 11:42:08 | 000,148,992 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2008/03/29 11:42:04 | 000,141,312 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2008/03/29 11:42:04 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2008/03/29 11:42:02 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2008/03/29 11:42:00 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2008/03/29 11:41:54 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2008/03/29 11:41:52 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2008/03/29 11:41:52 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2007/10/13 05:30:20 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >
  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Hello firegypsysasha,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

Firefox::
FF - ProfilePath - c:\documents and settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

After that

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :folderfind
    *gamevance*
    *Conduit*
    :filefind
    *gamevance*
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

So when you return please post
  • ComboFix.txt
  • SystemLook.txt

  • 0

#13
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
The Gamevance Textlinks firefox addon is still there.


Combofix:

ComboFix 10-10-18.03 - Fire Gypsy 10/19/2010 0:17.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.421 [GMT -4:00]
Running from: c:\documents and settings\Fire Gypsy\My Documents\My Pictures\Waterfyre\ComboFix.exe
Command switches used :: c:\documents and settings\Fire Gypsy\My Documents\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-19 01:48 . 2010-10-19 01:48 -------- d-----w- C:\_OTL
2010-10-18 17:08 . 2010-10-18 17:10 -------- d-----w- c:\windows\system32\NtmsData
2010-10-13 23:09 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 23:09 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 23:08 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-09-21 18:35 . 2010-09-21 18:35 -------- d-----w- c:\documents and settings\Fire Gypsy\Application Data\Malwarebytes
2010-09-21 18:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-21 18:32 . 2010-09-21 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-21 18:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 18:32 . 2010-09-21 18:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-22 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-22 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-09-05 417792]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

c:\documents and settings\Fire Gypsy\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\xampp\\MercuryMail\\mercury.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
TCP: {37A99711-1C25-4A54-AED4-5093C5AFF9D4} = 208.67.220.220,208.67.222.222
TCP: {8B963B85-F924-40F3-B661-4D3288FADB1E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Fire Gypsy\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Fire Gypsy\Application Data\Mozilla\Firefox\Profiles\9j0hsg7m.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\SearchIndexer.exe
.
**************************************************************************
.
Completion time: 2010-10-19 00:36:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-19 04:36
ComboFix2.txt 2010-10-18 18:09

Pre-Run: 1,627,549,696 bytes free
Post-Run: 1,619,382,272 bytes free

- - End Of File - - 89365CC0CE4E89157B44C52A2E060F74


Systemlook:

SystemLook 04.09.10 by jpshortstuff
Log created at 03:39 on 19/10/2010 by Fire Gypsy
Administrator - Elevation successful

========== folderfind ==========

Searching for "*gamevance*"
C:\Documents and Settings\Fire Gypsy\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected] d------ [18:20 21/09/2010]

Searching for "*Conduit*"
No folders found.

========== filefind ==========

Searching for "*gamevance*"
No files found.

-= EOF =-
  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,047 posts
Okay there is one way to do this that has worked in the past.

It involves uninstalling Firefox completely and then re-installing Firefox. It means you will have to download the Add-ons that you want afterward but that's not a big deal.

Now

We want to need to remove your Firefox profile data and settings. Before we do this we want to backup your bookmarks.

To back up your bookmarks:

In Firefox go to History > Show all History > Import and Backup (toolbar along the top) > Export HTML... and save it to your desktop.

Later when you re-install FF you can reverse the process and Import HTML... when the Wizard comes up just import the HTML file you had saved earlier.

Now

Go to the link below for instructions on how to remove Firefox:

http://kb.mozillazin...install_firefox

Look under the heading On Windows

Follow the instructions there On Windows XP and in particular follow this instruction - see the bolded part:

Starting in Firefox 3, the uninstaller includes the option, "Remove my Firefox personal data and customizations". This will also remove your Firefox user profile data (bookmarks, passwords, cookies, extensions, preferences, etc.).

If the uninstall fails, as it may in some cases, continue on with the rest of the uninstall instructions.

Once you have remove Firefox entirely then download a new copy and re-install. After that, follow the instruction above to import your bookmarks back.

Firefox may be downloaded from Here.

After that come back and tell me how you got on.
  • 0

#15
firegypsysasha

firegypsysasha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Okay so I did everything it said to do, the addon is no longer there. But i am still getting a "avira antivirus" notice for "rootkit" attempting to access my computer.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP