Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus went nuts!

Started by quimbola , Nov 19 2010 12:38 PM

  • This topic is locked This topic is locked

#1
quimbola
Posted 19 November 2010 - 12:38 PM

quimbola

    Member

  • Member
  • PipPip
  • 46 posts
Assistant got another one. I may ban her from the net. This one disable USB and I had to repair from windows. Where can I donate?

Thank you for your help!

I attached the file as I was getting an error.

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
E:\Virus help\cmd.bat deleted successfully.
E:\Virus help\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 298189279 bytes
->Flash cache emptied: 69183 bytes

User: Michele
->Temp folder emptied: 173272376 bytes
->Temporary Internet Files folder emptied: 13477586 bytes
->Java cache emptied: 49317785 bytes
->FireFox cache emptied: 86979428 bytes
->Flash cache emptied: 405 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 243524960 bytes
->Java cache emptied: 11216 bytes
->Flash cache emptied: 45728 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 99457 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 13726264 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 272143 bytes
RecycleBin emptied: 36931050 bytes

Total Files Cleaned = 876.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.17.2 log created on 11192010_103207

Files moved on Reboot...

Registry entries deleted on Reboot...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5096

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/19/2010 10:44:54 AM
mbam-log-2010-11-19 (10-44-54).txt

Scan type: Quick scan
Objects scanned: 148308
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

Windows Validation Check
Version: 1.9.11.4
Log Created On: 1048_19-11-2010
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last Success Time for Update Detection: 2010-10-13 21:17:52
Last Success Time for Update Download: 2010-10-06 16:30:58
Last Success Time for Update Installation: 2010-10-07 09:02:32


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - c72661f8552ace7c5c85e16a3cf505c4


-------- End of File, program close at 1049_19-11-2010 --------

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 23 Stepping 10, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 6.0.2900.2180
Mozilla Firefox 3.5.7 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:148 Go - Free:127 Go )
D:\ [CD_Rom]
E:\ [Removable]
.
Scan : 10:49.58
Path : E:\Virus help\Rooter.exe
User : Michele ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (588)
______ \??\C:\WINDOWS\system32\csrss.exe (644)
______ \??\C:\WINDOWS\system32\winlogon.exe (668)
______ C:\WINDOWS\system32\services.exe (712)
______ C:\WINDOWS\system32\lsass.exe (724)
______ C:\WINDOWS\system32\svchost.exe (928)
______ C:\WINDOWS\system32\svchost.exe (996)
______ C:\WINDOWS\System32\svchost.exe (1092)
______ C:\WINDOWS\system32\svchost.exe (1192)
______ C:\WINDOWS\system32\svchost.exe (1304)
______ C:\WINDOWS\system32\spoolsv.exe (1512)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1580)
______ C:\WINDOWS\Explorer.EXE (1832)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (1932)
______ C:\WINDOWS\system32\igfxpers.exe (1948)
______ C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (1956)
______ C:\WINDOWS\system32\hkcmd.exe (1972)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (1980)
______ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (1988)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (2012)
______ C:\WINDOWS\system32\ctfmon.exe (2020)
______ C:\WINDOWS\system32\igfxsrvc.exe (124)
______ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (236)
______ C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (252)
______ C:\Program Files\Windows Desktop Search\WindowsSearch.exe (260)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (628)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (688)
______ C:\Program Files\Bonjour\mDNSResponder.exe (132)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1072)
______ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1184)
______ C:\WINDOWS\system32\SearchIndexer.exe (1664)
______ C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (2288)
______ C:\WINDOWS\System32\alg.exe (2644)
______ C:\WINDOWS\System32\svchost.exe (3240)
______ C:\Program Files\Internet Explorer\iexplore.exe (3476)
______ C:\WINDOWS\system32\wuauclt.exe (3484)
______ C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe (3580)
______ C:\Program Files\Windows Live\Toolbar\wltuser.exe (3640)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (2092)
______ C:\WINDOWS\system32\SearchFilterHost.exe (536)
______ E:\Virus help\Rooter.exe (2680)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41943040 | Length:159957008384)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:49.58
.
C:\Rooter$\Rooter_2.txt - (19/11/2010 | 10:49.58)

LockSearch by jpshortstuff (05.11.09.1)
Log created at 10:50 on 19/11/2010 (Michele)
Scanning C:\


C:\hiberfil.sys
-------------------------


C:\pagefile.sys
-------------------------


C:\32788R22FWJFW\License\iexplore.exe
-------------------------
C:\WINDOWS\ERDNT\cache\iexplore.exe [B60DDDD2D63CE41CB8C487FCFBB6419E : 638816 bytes]
C:\WINDOWS\ie8\iexplore.exe [55794B97A7FAABD2910873C85274F409 : 93184 bytes]
C:\WINDOWS\system32\dllcache\iexplore.exe [E7484514C0464642BE7B4DC2689354C8 : 93184 bytes]


C:\Documents and Settings\Michele\My Documents\Downloads\HijackThis.exe
-------------------------


C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP1\A0000139.dll
-------------------------


C:\WINDOWS\system32\usеrinit.exe
-------------------------

-=E.O.F=-

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-19 11:05:51
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD161GJ rev.1AC01117
Running: gmer.exe; Driver: C:\DOCUME~1\Michele\LOCALS~1\Temp\uwlyiuow.sys


---- System - GMER 1.0.15 ----

SSDT 98D5B136 ZwCreateKey
SSDT 98D5B12C ZwCreateThread
SSDT 98D5B13B ZwDeleteKey
SSDT 98D5B145 ZwDeleteValueKey
SSDT 98D5B14A ZwLoadKey
SSDT 98D5B118 ZwOpenProcess
SSDT 98D5B11D ZwOpenThread
SSDT 98D5B154 ZwReplaceKey
SSDT 98D5B14F ZwRestoreKey
SSDT 98D5B140 ZwSetValueKey
SSDT 98D5B127 ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008B000A
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 008C000A
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008A000C
.text C:\WINDOWS\System32\svchost.exe[1080] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\SearchIndexer.exe[1680] kernel32.dll!WriteFile 7C810F9F 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00FD000A
.text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00FE000A
.text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A9000C
.text C:\WINDOWS\system32\wuauclt.exe[3384] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 011A000A
.text C:\WINDOWS\system32\wuauclt.exe[3384] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 011B000A
.text C:\WINDOWS\system32\wuauclt.exe[3384] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0119000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3456] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3456] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3456] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B1000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D99292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D99292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 89D99292

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD161GJ_________________________1AC01117#5&125ac780&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312499744 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 11/19/2010 11:12:14 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = E:\Virus help
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.97 Gb Total Space | 125.32 Gb Free Space | 84.12% Space Free | Partition Type: NTFS
Drive E: | 7.45 Gb Total Space | 7.41 Gb Free Space | 99.39% Space Free | Partition Type: FAT32

Computer Name: MICHELEDELL | User Name: Michele | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - E:\Virus help\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Windows Live\Toolbar\wltuser.exe (Microsoft Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (KYOCERA MITA Corporation)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - E:\Virus help\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\DOCUME~1\Michele\LOCALS~1\Temp\catchme.sys File not found
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (k57w2k) Broadcom NetLink ™ -- C:\WINDOWS\system32\drivers\k57xp32.sys (Broadcom Corporation)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SFAUDIO) -- C:\WINDOWS\system32\drivers\sfaudio.sys (Sonic Focus, Inc)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USREL/1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 08:17:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/27 08:17:08 | 000,000,000 | ---D | M]

[2010/03/02 10:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michele\Application Data\Mozilla\Extensions
[2010/11/19 09:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michele\Application Data\Mozilla\Firefox\Profiles\i9ioo3ky.default\extensions
[2010/03/02 10:12:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Michele\Application Data\Mozilla\Firefox\Profiles\i9ioo3ky.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/01/20 08:23:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/11 12:52:32 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2010/11/19 10:32:11 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll File not found
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner File Utility.lnk = C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (KYOCERA MITA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.160.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Michele\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Michele\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 14:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/19 11:00:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/11/19 08:57:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/11/19 06:21:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/11/19 06:18:45 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2010/11/19 06:18:45 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2010/11/19 06:18:45 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2010/11/19 06:17:57 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2010/11/18 22:38:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\dell
[2010/11/11 15:39:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2010/11/11 15:36:31 | 000,000,000 | ---D | C] -- C:\SDFix
[2010/11/11 15:27:54 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/11/11 14:42:11 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/11/11 14:31:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/11/11 14:12:10 | 000,000,000 | ---D | C] -- C:\Rooter$
[2010/11/11 13:14:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michele\My Documents\Downloads
[2010/11/11 13:00:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michele\Application Data\whitesmoketoolbar
[2010/11/11 12:56:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\2017
[2010/11/11 12:54:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WhiteSmokeTranslator
[2010/11/11 12:54:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Michele\Local Settings\Application Data\{3DA76322-9789-4E21-AA32-52962E7492AC}
[2010/11/11 12:54:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Google
[2010/11/11 12:54:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Windows Search
[2010/11/11 12:54:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\%APPDATA%
[2010/11/11 12:53:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\whitesmoketoolbar
[2010/11/11 12:53:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2010/11/11 12:53:45 | 000,000,000 | ---D | C] -- C:\Program Files\whitesmoketoolbar
[2010/11/11 12:02:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/11/11 11:05:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/11/11 10:50:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/11/11 10:50:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/11/10 10:09:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2010/11/01 09:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2 C:\Documents and Settings\Michele\My Documents\*.tmp files -> C:\Documents and Settings\Michele\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/19 11:06:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/19 11:00:12 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/11/19 11:00:10 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/19 11:00:07 | 2135,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/19 11:00:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/19 11:00:06 | 2135,924,736 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2010/11/19 10:36:05 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/19 10:32:11 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/11/19 10:25:29 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Michele\Local Settings\Application Data\housecall.guid.cache
[2010/11/19 09:35:31 | 000,000,282 | -HS- | M] () -- C:\boot.ini
[2010/11/19 09:34:57 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/19 08:43:58 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/19 06:30:09 | 000,037,340 | ---- | M] () -- C:\WINDOWS\grep.rar
[2010/11/19 06:23:41 | 000,468,464 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/19 06:23:41 | 000,080,702 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/19 06:23:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/19 06:21:16 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/11/19 06:21:15 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/19 06:20:46 | 000,191,384 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/11/19 06:19:49 | 000,000,287 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2010/11/19 06:17:13 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/11/19 06:17:13 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/11/19 06:17:13 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/11/19 06:17:02 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2010/11/19 06:14:53 | 000,023,444 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/11/19 06:14:28 | 000,000,535 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/11/16 10:27:26 | 000,003,156 | ---- | M] () -- C:\WINDOWS\elasevegu.dll
[2010/11/16 10:26:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xnucolifetahef.bin
[2010/11/16 09:48:02 | 000,003,156 | ---- | M] () -- C:\WINDOWS\apiduraya.dll
[2010/11/12 10:42:43 | 000,003,156 | ---- | M] () -- C:\WINDOWS\awulofos.dll
[2010/11/12 10:42:42 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Nhetoyiziyemam.dat
[2010/11/12 07:53:48 | 000,003,156 | ---- | M] () -- C:\WINDOWS\elikapawogepukog.dll
[2010/11/12 07:32:03 | 000,003,156 | ---- | M] () -- C:\WINDOWS\uguzixuq.dll
[2010/11/11 14:51:49 | 000,000,214 | ---- | M] () -- C:\Documents and Settings\Michele\delme.bat
[2010/11/11 12:58:06 | 000,000,674 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\.wtav
[2010/11/11 12:52:13 | 000,001,072 | ---- | M] () -- C:\WINDOWS\System32\Improve Your PC.lnk
[2010/11/11 12:51:31 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Michele\Desktop\Microsoft Office Word 2007.lnk
[2010/11/11 11:47:10 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Michele\Desktop\Microsoft Office Outlook 2007.lnk
[2010/11/09 15:07:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/08 10:32:38 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Michele\Desktop\gmer.exe
[2010/10/27 12:53:15 | 000,013,998 | ---- | M] () -- C:\Documents and Settings\Michele\Desktop\Rebel Article 9_20101026_Final.docx
[2010/10/26 10:42:03 | 000,041,941 | ---- | M] () -- C:\Documents and Settings\Michele\My Documents\classroom lists #2.docx
[2 C:\Documents and Settings\Michele\My Documents\*.tmp files -> C:\Documents and Settings\Michele\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/19 10:56:17 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Michele\Desktop\gmer.exe
[2010/11/19 10:25:29 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Michele\Local Settings\Application Data\housecall.guid.cache
[2010/11/19 09:27:34 | 2135,896,064 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/19 09:14:01 | 000,002,337 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/11/19 09:14:01 | 000,001,802 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
[2010/11/19 09:14:01 | 000,001,789 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2010/11/19 09:14:01 | 000,001,443 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Scanner File Utility.lnk
[2010/11/19 06:30:09 | 000,037,340 | ---- | C] () -- C:\WINDOWS\grep.rar
[2010/11/19 06:18:41 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2010/11/19 06:18:26 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2010/11/19 06:18:21 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2010/11/19 06:18:20 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2010/11/19 06:18:19 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2010/11/19 06:18:14 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2010/11/19 06:18:11 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2010/11/19 06:18:09 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2010/11/19 06:17:59 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2010/11/19 05:56:38 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2010/11/19 05:56:38 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2010/11/19 05:56:38 | 000,141,702 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2010/11/19 05:56:38 | 000,110,116 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2010/11/19 05:56:38 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2010/11/19 05:56:38 | 000,031,965 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2010/11/19 05:56:38 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2010/11/19 05:56:38 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2010/11/19 05:56:38 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2010/11/19 05:56:38 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2010/11/19 05:56:38 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2010/11/19 05:56:38 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2010/11/19 05:56:38 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2010/11/19 05:56:38 | 000,007,710 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2010/11/19 05:56:38 | 000,007,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmerrenu.cat
[2010/11/19 05:56:38 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2010/11/19 05:56:37 | 002,012,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2010/11/19 05:56:37 | 001,042,903 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2010/11/19 05:56:37 | 000,502,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2010/11/18 22:49:32 | 2135,924,736 | ---- | C] () -- C:\WINDOWS\MEMORY.DMP
[2010/11/16 10:27:26 | 000,003,156 | ---- | C] () -- C:\WINDOWS\elasevegu.dll
[2010/11/16 09:48:02 | 000,003,156 | ---- | C] () -- C:\WINDOWS\apiduraya.dll
[2010/11/12 10:42:43 | 000,003,156 | ---- | C] () -- C:\WINDOWS\awulofos.dll
[2010/11/12 07:53:48 | 000,003,156 | ---- | C] () -- C:\WINDOWS\elikapawogepukog.dll
[2010/11/12 07:32:02 | 000,003,156 | ---- | C] () -- C:\WINDOWS\uguzixuq.dll
[2010/11/11 12:58:06 | 000,000,674 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\.wtav
[2010/11/11 12:56:50 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2010/11/11 12:55:29 | 000,000,214 | ---- | C] () -- C:\Documents and Settings\Michele\delme.bat
[2010/11/11 12:54:25 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Nhetoyiziyemam.dat
[2010/11/11 12:54:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xnucolifetahef.bin
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/11/11 12:52:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/11/11 12:52:33 | 000,000,420 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/11/11 12:52:13 | 000,001,072 | ---- | C] () -- C:\WINDOWS\System32\Improve Your PC.lnk
[2010/10/27 12:53:15 | 000,013,998 | ---- | C] () -- C:\Documents and Settings\Michele\Desktop\Rebel Article 9_20101026_Final.docx
[2010/10/26 10:42:03 | 000,041,941 | ---- | C] () -- C:\Documents and Settings\Michele\My Documents\classroom lists #2.docx
[2010/10/19 09:31:32 | 000,000,276 | ---- | C] () -- C:\WINDOWS\agssi.ini
[2010/07/30 08:42:14 | 000,000,203 | ---- | C] () -- C:\WINDOWS\QibMet.ini
[2010/02/01 08:33:21 | 000,000,292 | ---- | C] () -- C:\WINDOWS\qibus.ini
[2010/01/20 08:52:48 | 000,000,174 | ---- | C] () -- C:\WINDOWS\nscatch.ini
[2010/01/19 16:24:26 | 000,000,080 | ---- | C] () -- C:\Documents and Settings\Michele\Local Settings\Application Data\FASTWiz.log
[2009/12/14 08:27:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4957.dll
[2009/12/14 08:25:30 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/12/14 06:49:33 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/04/25 14:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 09:16:20 | 000,281,728 | ---- | C] () -- C:\WINDOWS\System32\msaqmoxo.dll
[2008/04/25 09:16:17 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\kbdllv1.dll
[2008/04/25 02:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/08/04 05:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 05:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2009/12/14 06:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/05/27 08:18:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/11/11 13:26:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michele\Application Data\whitesmoketoolbar
[2009/12/14 06:41:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michele\Application Data\Windows Desktop Search
[2010/01/19 16:09:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michele\Application Data\Windows Search
[2010/11/19 06:21:15 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/19 10:36:05 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/11/19 06:21:16 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\At25.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/11/19 09:34:57 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/11/19 08:43:58 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/19 06:21:16 | 000,000,420 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job

========== Purity Check ==========



< End of report >

OTL Extras logfile created on: 11/19/2010 11:12:14 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = E:\Virus help
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.97 Gb Total Space | 125.32 Gb Free Space | 84.12% Space Free | Partition Type: NTFS
Drive E: | 7.45 Gb Total Space | 7.41 Gb Free Space | 99.39% Space Free | Partition Type: FAT32

Computer Name: MICHELEDELL | User Name: Michele | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Kyocera\FileUtility\NsCatCom.exe" = C:\Program Files\Kyocera\FileUtility\NsCatCom.exe:*:Enabled:NsCatCom -- (KYOCERA MITA Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\qibmet\MetQib.exe" = C:\qibmet\MetQib.exe:*:Enabled:Structured Settlement System -- (MetLife)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE 10.3
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2B318E8A-10A4-49B8-A93F-A125FCE31CAB}" = MetLife QIB for Structured Settlements
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{61C79AE1-5403-4687-AC68-28BFA5EF3895}" = Kyocera Scanner File Utility
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7BB045C3-D5E4-4620-B536-DC11AACD5942}" = Broadcom Management Programs
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D59AC32-B0FA-4CD7-A2EC-4B57C06CD9D9}" = Dell Backup and Recovery Manager
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE 10.3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HDMI" = Intel® Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"PROR" = Microsoft Office Professional 2007
"USAA Quote In A Box" = USAA Quote In A Box
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/19/2010 12:38:33 PM | Computer Name = MICHELEDELL | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 11/19/2010 12:38:33 PM | Computer Name = MICHELEDELL | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 11/19/2010 1:05:46 PM | Computer Name = MICHELEDELL | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00021260.

[ System Events ]
Error - 11/19/2010 12:27:52 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053

Error - 11/19/2010 12:35:09 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.

Error - 11/19/2010 12:35:09 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053

Error - 11/19/2010 1:06:23 PM | Computer Name = MICHELEDELL | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 11/19/2010 1:36:20 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.

Error - 11/19/2010 1:36:20 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053

Error - 11/19/2010 1:46:21 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.

Error - 11/19/2010 1:46:21 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053

Error - 11/19/2010 2:00:26 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Google Update Service
(gupdate) service to connect.

Error - 11/19/2010 2:00:26 PM | Computer Name = MICHELEDELL | Source = Service Control Manager | ID = 7000
Description = The Google Update Service (gupdate) service failed to start due to
the following error: %%1053


< End of report >
  • 0

Advertisements

#2
SweetTech
Posted 19 November 2010 - 12:49 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :D
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 3 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Looking over your logs right now. Will post back with instructions shortly.
  • 0

#3
quimbola
Posted 19 November 2010 - 12:55 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thank you!!

Also when I try to right click it automatically starts an adobe update.

Also if I double click on internet explorer, it creates a shortcut instead of opening it.
  • 0

#4
SweetTech
Posted 19 November 2010 - 12:58 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello again,

Lets see how things are running after doing the following scan:

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:OTL
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 50370
FF - prefs.js..network.proxy.type: 1
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[2 C:\Documents and Settings\Michele\My Documents\*.tmp files -> C:\Documents and Settings\Michele\My Documents\*.tmp -> ]
[2010/11/16 10:27:26 | 000,003,156 | ---- | M] () -- C:\WINDOWS\elasevegu.dll
[2010/11/16 10:26:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Xnucolifetahef.bin
[2010/11/16 09:48:02 | 000,003,156 | ---- | M] () -- C:\WINDOWS\apiduraya.dll
[2010/11/12 10:42:43 | 000,003,156 | ---- | M] () -- C:\WINDOWS\awulofos.dll
[2010/11/12 10:42:42 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Nhetoyiziyemam.dat
[2010/11/12 07:53:48 | 000,003,156 | ---- | M] () -- C:\WINDOWS\elikapawogepukog.dll
[2010/11/12 07:32:03 | 000,003,156 | ---- | M] () -- C:\WINDOWS\uguzixuq.dll
[2010/11/11 14:51:49 | 000,000,214 | ---- | M] () -- C:\Documents and Settings\Michele\delme.bat
[2 C:\Documents and Settings\Michele\My Documents\*.tmp files -> C:\Documents and Settings\Michele\My Documents\*.tmp -> ]
[2010/11/16 10:27:26 | 000,003,156 | ---- | C] () -- C:\WINDOWS\elasevegu.dll
[2010/11/16 09:48:02 | 000,003,156 | ---- | C] () -- C:\WINDOWS\apiduraya.dll
[2010/11/12 10:42:43 | 000,003,156 | ---- | C] () -- C:\WINDOWS\awulofos.dll
[2010/11/12 07:53:48 | 000,003,156 | ---- | C] () -- C:\WINDOWS\elikapawogepukog.dll
[2010/11/12 07:32:02 | 000,003,156 | ---- | C] () -- C:\WINDOWS\uguzixuq.dll
[2010/11/11 12:55:29 | 000,000,214 | ---- | C] () -- C:\Documents and Settings\Michele\delme.bat
[2010/11/11 12:54:25 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Nhetoyiziyemam.dat
[2010/11/11 12:54:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Xnucolifetahef.bin
[2010/10/19 09:31:32 | 000,000,276 | ---- | C] () -- C:\WINDOWS\agssi.ini
[2010/07/30 08:42:14 | 000,000,203 | ---- | C] () -- C:\WINDOWS\QibMet.ini

:Reg

:Files
C:\WINDOWS\tasks\At*.job
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#5
quimbola
Posted 19 November 2010 - 01:44 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
You are fast. Double click on IE still creates shortcut.

Logs:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 50370 removed from network.proxy.http_port
Prefs.js: 1 removed from network.proxy.type
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
C:\Documents and Settings\Michele\My Documents\PFT21.tmp deleted successfully.
C:\Documents and Settings\Michele\My Documents\PFT32.tmp deleted successfully.
C:\WINDOWS\elasevegu.dll moved successfully.
C:\WINDOWS\Xnucolifetahef.bin moved successfully.
C:\WINDOWS\apiduraya.dll moved successfully.
C:\WINDOWS\awulofos.dll moved successfully.
C:\WINDOWS\Nhetoyiziyemam.dat moved successfully.
C:\WINDOWS\elikapawogepukog.dll moved successfully.
C:\WINDOWS\uguzixuq.dll moved successfully.
C:\Documents and Settings\Michele\delme.bat moved successfully.
File C:\WINDOWS\elasevegu.dll not found.
File C:\WINDOWS\apiduraya.dll not found.
File C:\WINDOWS\awulofos.dll not found.
File C:\WINDOWS\elikapawogepukog.dll not found.
File C:\WINDOWS\uguzixuq.dll not found.
File C:\Documents and Settings\Michele\delme.bat not found.
File C:\WINDOWS\Nhetoyiziyemam.dat not found.
File C:\WINDOWS\Xnucolifetahef.bin not found.
C:\WINDOWS\agssi.ini moved successfully.
C:\WINDOWS\QibMet.ini moved successfully.
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At25.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Michele\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Michele\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 23991437 bytes
->Flash cache emptied: 1296 bytes

User: Michele
->Temp folder emptied: 15129 bytes
->Temporary Internet Files folder emptied: 6367493 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 25377570 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1794 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17338 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 379 bytes

Total Files Cleaned = 53.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: Michele
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.17.3 log created on 11192010_120739

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Michele\Local Settings\Temporary Internet Files\Content.Word\~WRF{70B8B02C-D496-4D54-86B3-03B94E57443F}.tmp not found!
File\Folder C:\Documents and Settings\Michele\Local Settings\Temporary Internet Files\Content.Word\~WRS{9FD09921-3608-4845-9A2C-E934710A76A8}.tmp not found!
C:\Documents and Settings\Michele\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\CATHZNMW.php moved successfully.
C:\Documents and Settings\Michele\Local Settings\Temporary Internet Files\Content.IE5\01234567\xd_proxy[1].php moved successfully.

Registry entries deleted on Reboot...

I attached the other one.

Attached Files

  • Attached File  log.txt   594.48KB   92 downloads

  • 0

#6
SweetTech
Posted 19 November 2010 - 01:52 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
c:\documents and settings\Michele\Application Data\Microsoft\gb_203093.bat

DirLook::
c:\windows\system32\2017
c:\windows\system32\%APPDATA%

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



How are things running now?
  • 0

#7
quimbola
Posted 19 November 2010 - 02:12 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
MBAM is scanning now. Same deal with the doubler click on IE.

Here is the combo log.

ComboFix 10-11-18.05 - Michele 11/19/2010 13:00:29.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1623 [GMT -7:00]
Running from: c:\documents and settings\Michele\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michele\Desktop\cfscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Michele\Application Data\Microsoft\gb_203093.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michele\Application Data\Microsoft\gb_203093.bat

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 19:07 . 2010-11-19 19:07 -------- d-----w- C:\_OTL
2010-11-19 13:17 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2010-11-19 13:16 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-11-19 13:16 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-11-19 13:14 . 2004-08-04 12:00 44544 -c--a-w- c:\windows\system32\dllcache\tscupgrd.exe
2010-11-19 13:14 . 2004-08-04 12:00 44544 ----a-w- c:\windows\system32\tscupgrd.exe
2010-11-19 12:56 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-11-19 12:56 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-11-19 12:56 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-11-19 12:56 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-11-19 05:38 . 2010-11-19 05:38 -------- d-----w- c:\windows\dell
2010-11-11 22:39 . 2010-11-11 22:39 -------- d-----w- c:\windows\ERUNT
2010-11-11 22:36 . 2010-11-19 18:50 -------- d-----w- C:\SDFix
2010-11-11 22:28 . 2010-11-11 22:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-11 22:28 . 2010-11-11 22:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-11 21:31 . 2010-11-11 21:40 -------- d-----w- c:\windows\BDOSCAN8
2010-11-11 21:12 . 2010-11-19 17:49 -------- d-----w- C:\Rooter$
2010-11-11 20:00 . 2010-11-11 20:26 -------- d-----w- c:\documents and settings\Michele\Application Data\whitesmoketoolbar
2010-11-11 19:56 . 2010-11-11 19:56 -------- d-----w- c:\windows\system32\2017
2010-11-11 19:54 . 2010-11-11 19:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-11 19:54 . 2010-11-11 19:54 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-11-11 19:54 . 2010-11-11 19:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\Windows Search
2010-11-11 19:54 . 2010-11-11 19:54 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-11 19:53 . 2010-11-11 19:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-11 19:53 . 2010-11-11 19:53 -------- d-----w- c:\program files\whitesmoketoolbar
2010-11-10 17:09 . 2010-11-10 17:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-11-01 16:09 . 2010-11-01 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 12:52 . 2009-12-14 13:38 5120 ----a-w- c:\windows\system32\xpsp4res.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\%APPDATA% ----

2010-11-11 19:54 . 2010-11-11 19:54 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
2010-11-11 19:54 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
2010-11-11 19:54 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
2010-11-11 19:54 . 2010-06-14 15:06 165 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.iss
2010-11-11 19:54 . 2009-06-10 11:57 550192 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ocx
2010-11-11 19:54 . 2010-07-07 09:45 581440 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
2010-11-11 19:54 . 2010-07-07 09:45 807744 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
2010-11-11 19:54 . 2009-05-21 12:53 21494 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\0x0409.ini
2010-11-11 19:54 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
2010-11-11 19:54 . 2010-07-07 09:44 1178 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ini
2010-11-11 19:54 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
2010-11-11 19:54 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
2010-11-11 19:54 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab

---- Directory of c:\windows\system32\2017 ----

2010-11-11 19:56 . 2010-11-11 21:29 3622 ----a-w- c:\windows\system32\2017\inf2017.dat


((((((((((((((((((((((((((((( SnapShot_2010-11-19_19.27.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-19 20:05 . 2010-11-19 20:05 16384 c:\windows\temp\Perflib_Perfdata_e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-22 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 141848]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2010-1-20 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2010-1-20 335872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 21:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\qibmet\\MetQib.exe"=

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [12/14/2009 8:27 AM 24064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/19/2010 4:27 PM 108289]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [12/14/2009 8:27 AM 176640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/22/2010 11:51 AM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 18:51]

2010-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-22 18:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Michele\Application Data\Mozilla\Firefox\Profiles\i9ioo3ky.default\
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 13:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3332)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-11-19 13:07:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 20:07
ComboFix2.txt 2010-11-19 19:28
ComboFix3.txt 2010-10-06 13:44

Pre-Run: 134,558,752,768 bytes free
Post-Run: 134,552,391,680 bytes free

- - End Of File - - B0D3396333EB3E464D6D6056EED4FC4B
  • 0

#8
SweetTech
Posted 19 November 2010 - 02:17 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay, I'll await your response with the MBAM log.
  • 0

#9
quimbola
Posted 19 November 2010 - 02:18 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
MBAM found nothing.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5096

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/19/2010 1:13:04 PM
mbam-log-2010-11-19 (13-13-04).txt

Scan type: Quick scan
Objects scanned: 147975
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
SweetTech
Posted 19 November 2010 - 02:22 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Lets see if this fixes the issue you are experiencing with Internet Explorer.

SFC ScanNow

Go to the Run box on the Start Menu and type in:

sfc /scannow

Make sure to include the space between the first "c" and the "/".

This will run the System File checker and it will scan for corrupt or missing files. It may prompt you to insert the CD if it needs to obtain files.

Please post back when it has finished letting me know what it has reported.

More info on this process can be found here.
  • 0

Advertisements

#11
quimbola
Posted 19 November 2010 - 03:52 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan

What ESET found. running Scannow.
  • 0

#12
quimbola
Posted 19 November 2010 - 04:17 PM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Scannnow did not fix the click issue.

I ended up creating a shortcut of IE from its root directory and I removed the IE icon from the desktop.

The shortcut works.
  • 0

#13
SweetTech
Posted 19 November 2010 - 04:48 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Lets get you updated to the latest service pack now.

Update Windows XP
Service Pack 3 (SP3)
It would be in your best interest to install this service pack. This update includes all previously released updates for your system.
Microsoft advises that SP1 or SP1a needs to be installed before installing this update.
Attention: The SP3 download is very large! Based on your Internet connection... be prepared, it could take hours to download!!
Alternately, you could see if a friend or family member has the SP3 update on CD or order it from MS for a fee ... based on your location.

This will be a 2 step process...
The 1st step in this process is to apply Service Pack 3 (SP3) for Windows XP. This update, includes security fixes, to protect your computer.
The 2nd step is to apply all the critical updates and patches since SP3 was released.
Note: If at any time during these steps, you experience problems with your computer...:stop: ...Do not continue with the steps and post a description of the problem.
  • First
  • Obtain Windows XP Service Pack 3 from the Microsoft Download Center
  • Click the Download ...button. Choose "Save" at the prompt...and save the file to your desktop.
  • Double click the "WindowsXP-KB936929-SP3-x86-ENU.exe" file on your desktop to install the update.
    When the installation has completed successfully...
  • ! IMPORTANT ! reboot your computer (normally) before proceeding to the next step.
Second
  • Now...Go to: Windows Update and install the Critical Updates.
  • Press the "Express"...button to have all "critical" updates shown.
  • Make sure all critical updates and patches are checked for download and installation.
  • Press the Install Updates ... button to begin downloading and installing the updates
    After successfully installing the critical updates and patches...
  • ! IMPORTANT ! reboot your computer normally (again) before proceeding.


How are things running? Are you experiencing any outstanding issues with your computer?
  • 0

#14
quimbola
Posted 23 November 2010 - 10:43 AM

quimbola

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Things are looking good!

Thank you so much for your help.
  • 0

#15
SweetTech
Posted 23 November 2010 - 10:45 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Let me have you one another scan to see if anything else requires our attention:

Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP