Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

""WindowsSafemode" Malware Virus - removal

Started by Ihatemalwaretoo , Mar 09 2011 08:57 PM

  • Please log in to reply

#1
Ihatemalwaretoo
Posted 09 March 2011 - 08:57 PM

Ihatemalwaretoo

    Member

  • Member
  • PipPip
  • 22 posts
A cry for help from across the pond...

My computer will start up to a black screen with a pop-up box stating that "Windows Boot Failure. Press 'OK' to fix boot failure". When exited out of the pop-up, a new pop-up appears "Windows Disk Diagnostic Tool will scan the system to identify performance issues", with two check boxes "check hard drive sectors" and "system integrity". Then another pop-up: "A problem with the hard drive has been detected. It is strongly recommended that you download and install the following certified software to fix detected hard drive errors. Do you want to download recommended software?". Then a program comes up called "WindowsSafemode"and starts to perform scans etc..

I am unable to currently work so very important and would be extremely grateful for assistance in removing this Malware permanently. Thank You.

Here is my OTL log:
OTL logfile created on: 10/03/2011 02:08:49 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator.HOME.000\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

959.00 Mb Total Physical Memory | 646.00 Mb Available Physical Memory | 67.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 22.36 Gb Free Space | 30.00% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/10 02:08:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\OTL.exe
PRC - [2008/04/14 12:42:20 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/03/10 02:08:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Pml Driver HPZ12)
SRV - File not found [Auto | Stopped] -- -- (Net Driver HPZ12)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/12/21 12:43:52 | 000,886,176 | -H-- | M] (Citrix Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe -- (RadeSvc)
SRV - [2010/12/21 12:43:06 | 000,120,232 | -H-- | M] (Citrix Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe -- (RadeHlprSvc)
SRV - [2010/02/01 12:06:06 | 000,320,832 | -H-- | M] (Citrix Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe -- (CdfSvc)
SRV - [2009/09/18 18:48:28 | 000,009,216 | -H-- | M] (Vodafone) [Auto | Stopped] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2009/07/26 00:38:20 | 000,655,624 | -H-- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/12/01 18:59:52 | 000,033,752 | -H-- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/08/15 12:46:20 | 000,284,016 | -H-- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)


========== Driver Services (SafeList) ==========

DRV - [2010/12/09 06:19:18 | 000,200,312 | -H-- | M] (Citrix Systems, Inc.) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\CtxSbx.sys -- (CtxSbx)
DRV - [2010/12/09 06:19:18 | 000,058,488 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ctxpidmn.sys -- (ctxpidmn)
DRV - [2010/01/19 01:32:56 | 000,031,280 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cdfdrv.sys -- (cdfdrv)
DRV - [2009/07/23 12:57:22 | 000,112,640 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/07/23 12:57:22 | 000,102,528 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/07/23 12:57:22 | 000,100,480 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2007/06/19 00:12:04 | 000,016,768 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/11/01 16:55:48 | 000,604,928 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/08/29 22:12:28 | 000,990,592 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 22:11:08 | 000,208,384 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 22:10:56 | 000,728,576 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/07/27 22:44:42 | 000,581,632 | -H-- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/06/28 17:54:00 | 000,009,472 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/03/05 23:49:36 | 000,011,136 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/03 00:31:04 | 000,013,056 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 00:31:02 | 000,034,176 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/01/02 04:21:44 | 000,717,296 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2005/08/02 15:00:36 | 000,232,192 | RH-- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/09/29 18:28:36 | 000,016,292 | -H-- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/30 16:58:41 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/17 23:05:21 | 000,000,000 | -H-D | M]

[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/02 21:40:24 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/12/03 17:47:02 | 000,001,538 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/03 17:47:02 | 000,000,947 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/03 17:47:02 | 000,000,769 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/03 17:47:02 | 000,001,135 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/07/26 01:17:42 | 000,001,665 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 3 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (PriceGongCtrl Class) - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.5.0\PriceGongIE.dll (PriceGong)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [F5D8071] C:\Program Files\Belkin\F5D8071v1\Belkinwcui.exe (Belkin)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe ( )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/01 21:26:20 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 02:08:41 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\OTL.exe
[2011/03/10 02:03:26 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\TFC.exe
[2011/03/10 00:58:30 | 000,718,848 | -H-- | C] (NetInternals) -- C:\Documents and Settings\All Users\Application Data\CdaTJMyGYahYi.exe
[2011/03/08 04:00:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Application Data\Adobe
[2011/03/08 03:56:35 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Start Menu\Programs\Windows Safemode
[2011/03/08 03:56:09 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.HOME.000\Application Data\Microsoft
[2011/03/08 03:56:09 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.HOME.000\Cookies
[2011/03/08 03:56:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Start Menu\Programs\Startup
[2011/03/08 03:56:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Start Menu
[2011/03/08 03:56:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.HOME.000\SendTo
[2011/03/08 03:56:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Application Data
[2011/03/08 03:56:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Start Menu\Programs\Accessories
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Templates
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Recent
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\PrintHood
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\NetHood
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\My Documents
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Local Settings\Application Data\Microsoft
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Application Data\Macromedia
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Local Settings
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Favorites
[2011/03/08 03:56:09 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.HOME.000\Desktop
[2011/03/08 03:25:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/02 03:03:22 | 000,733,184 | -H-- | C] (ACTS) -- C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
[2011/02/20 09:35:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Citrix
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Citrix
[2011/02/17 23:19:35 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Downloaded Installations
[2011/02/17 23:05:40 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Java
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/10 02:08:44 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\OTL.exe
[2011/03/10 02:03:26 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.HOME.000\Desktop\TFC.exe
[2011/03/10 01:58:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/10 01:28:43 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\17358644
[2011/03/10 01:28:42 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\17358644.exe
[2011/03/10 01:28:23 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/10 01:12:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/10 00:58:30 | 000,718,848 | -H-- | M] (NetInternals) -- C:\Documents and Settings\All Users\Application Data\CdaTJMyGYahYi.exe
[2011/03/10 00:56:05 | 000,436,004 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/10 00:56:05 | 000,068,668 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/10 00:52:55 | 000,014,863 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/10 00:51:59 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/08 03:59:43 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~40500
[2011/03/08 03:59:43 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~40500r
[2011/03/08 03:56:35 | 000,000,794 | -H-- | M] () -- C:\Documents and Settings\Administrator.HOME.000\Desktop\Windows Safemode.lnk
[2011/03/08 03:56:13 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\40500
[2011/03/08 03:56:10 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\40500.exe
[2011/03/08 03:35:51 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~45828
[2011/03/08 03:35:51 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~45828r
[2011/03/08 03:29:42 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\45828
[2011/03/08 03:29:40 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\45828.exe
[2011/03/08 03:25:55 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\86140.exe
[2011/03/08 03:12:02 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~75328
[2011/03/08 03:12:01 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~75328r
[2011/03/08 03:05:55 | 000,000,392 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\75328
[2011/03/08 03:01:00 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/03/08 00:53:24 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\75328.exe
[2011/03/08 00:16:22 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\39265.exe
[2011/03/08 00:08:43 | 000,696,320 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll
[2011/03/02 03:03:22 | 000,733,184 | -H-- | M] (ACTS) -- C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
[2011/02/18 14:03:15 | 000,001,917 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/16 22:07:16 | 000,001,729 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/10 01:28:43 | 000,000,336 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\17358644
[2011/03/10 01:28:42 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\17358644.exe
[2011/03/08 03:59:43 | 000,000,272 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~40500
[2011/03/08 03:59:43 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~40500r
[2011/03/08 03:56:35 | 000,000,794 | -H-- | C] () -- C:\Documents and Settings\Administrator.HOME.000\Desktop\Windows Safemode.lnk
[2011/03/08 03:56:13 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\40500
[2011/03/08 03:56:10 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\40500.exe
[2011/03/08 03:56:09 | 000,001,791 | -H-- | C] () -- C:\Documents and Settings\Administrator.HOME.000\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/08 03:56:09 | 000,001,599 | -H-- | C] () -- C:\Documents and Settings\Administrator.HOME.000\Start Menu\Programs\Remote Assistance.lnk
[2011/03/08 03:56:09 | 000,000,792 | -H-- | C] () -- C:\Documents and Settings\Administrator.HOME.000\Start Menu\Programs\Windows Media Player.lnk
[2011/03/08 03:56:09 | 000,000,600 | -H-- | C] () -- C:\Documents and Settings\Administrator.HOME.000\Application Data\Microsoft\Internet Explorer\Quick Launch\jZip.lnk
[2011/03/08 03:35:51 | 000,000,272 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~45828
[2011/03/08 03:35:51 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~45828r
[2011/03/08 03:29:42 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\45828
[2011/03/08 03:29:40 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\45828.exe
[2011/03/08 03:25:55 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\86140.exe
[2011/03/08 01:45:39 | 000,000,272 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~75328
[2011/03/08 01:45:39 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~75328r
[2011/03/08 00:53:29 | 000,000,392 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\75328
[2011/03/08 00:53:24 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\75328.exe
[2011/03/08 00:16:22 | 000,672,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\39265.exe
[2011/03/08 00:08:43 | 000,696,320 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll
[2011/01/30 16:58:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/28 10:01:17 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/05/09 14:00:55 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/22 03:00:05 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/08/28 15:16:16 | 000,130,238 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2009/04/25 22:31:06 | 000,002,048 | RH-- | C] () -- C:\WINDOWS\System32\drivers\rt73.bin
[2006/07/21 04:58:00 | 001,662,976 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/21 04:58:00 | 001,519,616 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/07/21 04:58:00 | 001,470,464 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/21 04:58:00 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/07/21 04:58:00 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/21 04:58:00 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/21 04:58:00 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/07/21 04:58:00 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/07/21 04:58:00 | 000,098,304 | -H-- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/01/02 04:30:04 | 000,000,256 | -H-- | C] () -- C:\WINDOWS\_delis32.ini
[2006/01/02 04:27:19 | 000,000,510 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/01 21:29:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/01/01 21:22:54 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/01/01 13:13:37 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/01 13:12:19 | 002,136,624 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 12:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,755,200 | -H-- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2004/08/04 12:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,436,004 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,338,432 | -H-- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2004/08/04 12:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,200,192 | -H-- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2004/08/04 12:00:00 | 000,183,808 | -H-- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2004/08/04 12:00:00 | 000,120,320 | -H-- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2004/08/04 12:00:00 | 000,068,668 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/03/10 01:26:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Bitmeter2
[2006/01/02 04:24:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/08/01 14:28:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/10/30 00:05:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2010/12/20 22:51:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2009/07/23 15:10:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/01/09 21:47:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/03/08 03:01:00 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



< End of report >

Please kindly advise what script I should run or do next.

Thanks ever so much,
Steve
  • 0

Advertisements

#2
RKinner
Posted 12 March 2011 - 12:45 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c 


:Services
Pml Driver HPZ12
Net Driver HPZ12
HidServ

:OTL
SRV - File not found [Auto | Stopped] -- -- (Pml Driver HPZ12)
SRV - File not found [Auto | Stopped] -- -- (Net Driver HPZ12)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKCU..\Run: [AdobeBridge] File not found
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
[2011/03/10 01:28:43 | 000,000,336 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\17358644
[2011/03/10 01:28:42 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\17358644.exe
[2011/03/10 00:58:30 | 000,718,848 | -H-- | M] (NetInternals) -- C:\Documents and Settings\All Users\Application Data\CdaTJMyGYahYi.exe
[2011/03/08 03:59:43 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~40500
[2011/03/08 03:59:43 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~40500r
[2011/03/08 03:56:35 | 000,000,794 | -H-- | M] () -- C:\Documents and Settings\Administrator.HOME.000\Desktop\Windows Safemode.lnk
[2011/03/08 03:56:13 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\40500
[2011/03/08 03:56:10 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\40500.exe
[2011/03/08 03:35:51 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~45828
[2011/03/08 03:35:51 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~45828r
[2011/03/08 03:29:42 | 000,000,344 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\45828
[2011/03/08 03:29:40 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\45828.exe
[2011/03/08 03:25:55 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\86140.exe
[2011/03/08 03:12:02 | 000,000,272 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~75328
[2011/03/08 03:12:01 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~75328r
[2011/03/08 03:05:55 | 000,000,392 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\75328
[2011/03/08 03:01:00 | 000,000,236 | -H-- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/03/08 00:53:24 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\75328.exe
[2011/03/08 00:16:22 | 000,672,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\39265.exe
[2011/03/08 00:08:43 | 000,696,320 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll
[2011/03/02 03:03:22 | 000,733,184 | -H-- | M] (ACTS) -- C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll
     
:Commands
[purity]
[emptytemp]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

OTL Log
MBAM log
Combofix log

Ron
  • 0

#3
Ihatemalwaretoo
Posted 13 March 2011 - 06:17 PM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron,

Thanks ever so much for taking the time to reply and work through a solution to solve my problem, I have posted the logs as per my earlier note, however I failed to save the Malwarebyte one, this showed that 6 items were removed one of which was a Malware virus.

One very peculiar thing that has happened since I have had the Malware infection, is that my battery is no longer being used, the computer is only powered up if I have the mains in constantly, I recently bought a new battery for the computer so would hope it is not the battery somehow going, is it possible for a virus to do something such that the battery will not be drawn on?

Thanks ever so much for you help, hugely appreciated.

Kindest Regards
Steve
  • 0

#4
Ihatemalwaretoo
Posted 13 March 2011 - 06:40 PM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron - just realised that my earlier post with the logs did not register, posting again:

All processes killed
========== SERVICES/DRIVERS ==========
Service Pml Driver HPZ12 stopped successfully!
Service Pml Driver HPZ12 deleted successfully!
Service Net Driver HPZ12 stopped successfully!
Service Net Driver HPZ12 deleted successfully!
Service HidServ stopped successfully!
Service HidServ deleted successfully!
========== OTL ==========
Error: No service named Pml Driver HPZ12 was found to stop!
Service\Driver key Pml Driver HPZ12 not found.
Error: No service named Net Driver HPZ12 was found to stop!
Service\Driver key Net Driver HPZ12 not found.
Error: No service named HidServ was found to stop!
Service\Driver key HidServ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
C:\Program Files\Ask.com\GenericAskToolbar.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File C:\Program Files\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
File C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
C:\Documents and Settings\All Users\Application Data\17358644 moved successfully.
C:\Documents and Settings\All Users\Application Data\17358644.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\CdaTJMyGYahYi.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\~40500 moved successfully.
C:\Documents and Settings\All Users\Application Data\~40500r moved successfully.
File C:\Documents and Settings\Administrator.HOME.000\Desktop\Windows Safemode.lnk not found.
C:\Documents and Settings\All Users\Application Data\40500 moved successfully.
C:\Documents and Settings\All Users\Application Data\40500.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\~45828 moved successfully.
C:\Documents and Settings\All Users\Application Data\~45828r moved successfully.
C:\Documents and Settings\All Users\Application Data\45828 moved successfully.
C:\Documents and Settings\All Users\Application Data\45828.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\86140.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\~75328 moved successfully.
C:\Documents and Settings\All Users\Application Data\~75328r moved successfully.
C:\Documents and Settings\All Users\Application Data\75328 moved successfully.
C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job moved successfully.
C:\Documents and Settings\All Users\Application Data\75328.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\39265.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\KDfipsQcxuWorYT.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\KKttWaNfnwBvi.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.HOME
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.HOME.000
->Temp folder emptied: 10285974 bytes
->Temporary Internet Files folder emptied: 1002900 bytes
->Java cache emptied: 107819 bytes
->Flash cache emptied: 611 bytes

User: All Users

User: Ctx_StreamingSvc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: rcaiani
->Temp folder emptied: 34953 bytes
->Temporary Internet Files folder emptied: 8483264 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: scroft
->Temp folder emptied: 17244 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16474 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 364054168 bytes

Total Files Cleaned = 366.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03102011_061831

Files\Folders moved on Reboot...
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\KDEZWHAF\CAM81JFY.htm moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\KDEZWHAF\CAO19I7I.com moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\KDEZWHAF\CAOOPX7U.com moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\KDEZWHAF\def[1].html moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\GPAJCHYB\getSegment[2].htm moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\CG5OY5RM\296938-windowssafemode-malware-virus-removal[1] moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\CG5OY5RM\CA6B4HMV.com moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\CG5OY5RM\otl-by-oldtimer-a-modern-replacement-for-hijackthis[1] moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\7YDO0S7Z\CAC4HQVV.htm moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\7YDO0S7Z\CAEFGP67.com moved successfully.
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\7YDO0S7Z\recommendations[1].php moved successfully.

Registry entries deleted on Reboot...

2nd log:
OTL Extras logfile created on: 3/10/2011 6:26:43 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\rcaiani\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 519.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 22.33 Gb Free Space | 29.97% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: rcaiani | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS4 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51000:TCP" = 51000:TCP:*:Enabled:Adobe Version Cue CS4 Server
"51001:TCP" = 51001:TCP:*:Enabled:Adobe Version Cue CS4 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Schwab\SSPro\SSPro.exe" = C:\Program Files\Schwab\SSPro\SSPro.exe:*:Enabled:StreetSmart Pro® -- (Charles Schwab & Co., Inc.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:*:Enabled:Adobe Version Cue CS4 Server -- (Adobe Systems Incorporated)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{09D8492A-C8E2-421E-927D-46800FB327A3}" = Wireless Home Network Setup
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{14F70205-1940-4000-88C7-BE799A6B2CAD}" = Adobe Soundbooth CS4
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 24
"{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}" = Adobe CS4 American English Speech Analysis Models
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 J1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}" = Adobe Fireworks CS4
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44E240EC-2224-4078-A88B-2CEE0D3016EF}" = Adobe After Effects CS4 Presets
"{45EC816C-0771-4C14-AE6D-72D1B578F4C8}" = Adobe After Effects CS4
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{508EA9DB-0323-4E64-AE43-490EFEB2CF47}" = Belkin N1 Wireless ExpressCard
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5EAD5443-7194-46CC-A055-428E6ABB1BAF}" = Adobe Encore CS4
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{664708B3-C730-11D5-ADE7-00B0D07D157A}" = StreetSmart Pro
"{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}" = Adobe After Effects CS4 Third Party Content
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B751AEA-D37F-4246-9CF1-D37B429FDFD3}" = AVG 2011
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{6FE30813-AC60-40A3-BE53-F6713A1F3893}" = HP Wireless Assistant
"{706EA4A8-97B5-4C29-A0F3-0B38C666F0C4}" = QuarkXPress
"{70A9E155-B1EE-42A0-8605-56E932DFF246}" = Citrix offline plug-in
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7406DF60-016D-476B-A2C7-55D997592047}" = Adobe OnLocation CS4
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8EB8E60B-315D-44EB-A896-10D88602EE46}" = Adobe Setup
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{96B51C0B-D3BE-4DF3-959C-28B22C10CFBB}" = Vodafone Mobile Connect Lite
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A6EC82A0-1414-475D-8AFD-469089F3080D}" = Adobe Contribute CS4
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}" = Adobe MotionPicture Color Files CS4
"{B15381DD-FF97-4FCD-A881-ED4DB0975500}" = Adobe Color Video Profiles AE CS4
"{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}" = Adobe Premiere Pro CS4 Functional Content
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B9F4561A-924D-4510-A85A-BB0960C338CB}" = Adobe Asset Services CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}" = Adobe Media Encoder CS4 Additional Exporter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D499F8DE-3F31-4900-9157-61061613704B}" = Adobe Premiere Pro CS4
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}" = Adobe Setup
"{EE353798-E875-42E0-B58D-7E6696182EA8}" = Adobe Media Encoder CS4 Dolby
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 4.57
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe_5aab5a491a3a52ae624fd639f6aaa95" = Adobe After Effects CS4 Third Party Content
"Adobe_d2f336b2c5feeb945c28b7a0a45170f" = Adobe Creative Suite 4 Master Collection
"BitMeter" = BitMeter
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CNXT_HDAUDIO" = Conexant HD Audio
"CNXT_MODEM_PCI_VEN_14F1&DEV_5045_at8ven5m" = Soft Data Fax Modem with SmartCP
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Google Chrome" = Google Chrome
"jZip" = jZip
"LogoMaker_is1" = LogoMaker 2.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PriceGong" = PriceGong 1.5.0
"VISPRO" = Microsoft Office Visio Professional 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/6/2011 8:24:56 PM | Computer Name = HOME | Source = Microsoft Office 11 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Excel.

Error - 3/6/2011 11:23:36 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = GetProcessOwner

Error - 3/7/2011 4:38:07 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 3/7/2011 8:08:12 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 3/7/2011 8:10:55 PM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/7/2011 8:11:04 PM | Computer Name = HOME | Source = Application Error | ID = 1000
Description = Faulting application internetexplorerupdate.exe, version 0.0.0.0,
faulting module internetexplorerupdate.exe, version 0.0.0.0, fault address 0x000010be.

Error - 3/7/2011 8:16:20 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 3/7/2011 8:16:22 PM | Computer Name = HOME | Source = Bonjour Service | ID = 100
Description = DNS Message from «ZERO ADDRESS»:0 to «ZERO ADDRESS»:0 length 0
too short

Error - 3/7/2011 8:52:48 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

Error - 3/7/2011 9:49:11 PM | Computer Name = HOME | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

[ System Events ]
Error - 3/10/2011 1:58:36 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Net Driver HPZ12 service terminated with the following error:
%%126

Error - 3/10/2011 1:58:36 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Pml Driver HPZ12 service terminated with the following error:
%%126

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The Citrix Streaming Helper Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7031
Description = The Vodafone Mobile Connect Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

Error - 3/10/2011 2:18:32 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The hpqwmiex service terminated unexpectedly. It has done this 1
time(s).

Error - 3/10/2011 2:18:33 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).


< End of report >

3rd log:
OTL logfile created on: 3/10/2011 6:26:43 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\rcaiani\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 519.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 22.33 Gb Free Space | 29.97% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: rcaiani | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
PRC - [2010/12/21 12:43:52 | 000,886,176 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
PRC - [2010/12/21 12:43:06 | 000,120,232 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe
PRC - [2010/02/01 12:06:06 | 000,320,832 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
PRC - [2009/09/18 18:48:34 | 002,412,032 | -H-- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
PRC - [2009/09/18 18:48:28 | 000,009,216 | -H-- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2008/04/14 12:42:20 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/19 13:48:08 | 001,630,208 | -H-- | M] (Belkin) -- C:\Program Files\Belkin\F5D8071v1\Belkinwcui.exe


========== Modules (SafeList) ==========

MOD - [2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
MOD - [2010/12/21 12:25:40 | 000,710,056 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\system32\CtxSbxHook.DLL
MOD - [2010/12/21 12:23:04 | 000,234,920 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\system32\radeaphook.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/12/21 12:43:52 | 000,886,176 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe -- (RadeSvc)
SRV - [2010/12/21 12:43:06 | 000,120,232 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe -- (RadeHlprSvc)
SRV - [2010/02/01 12:06:06 | 000,320,832 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe -- (CdfSvc)
SRV - [2009/09/18 18:48:28 | 000,009,216 | -H-- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2009/07/26 00:38:20 | 000,655,624 | -H-- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/12/01 18:59:52 | 000,033,752 | -H-- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/08/15 12:46:20 | 000,284,016 | -H-- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)


========== Driver Services (SafeList) ==========

DRV - [2010/12/09 06:19:18 | 000,200,312 | -H-- | M] (Citrix Systems, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\CtxSbx.sys -- (CtxSbx)
DRV - [2010/12/09 06:19:18 | 000,058,488 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxpidmn.sys -- (ctxpidmn)
DRV - [2010/01/19 01:32:56 | 000,031,280 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdfdrv.sys -- (cdfdrv)
DRV - [2009/07/23 12:57:22 | 000,112,640 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/07/23 12:57:22 | 000,102,528 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/07/23 12:57:22 | 000,100,480 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2007/06/19 00:12:04 | 000,016,768 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/11/01 16:55:48 | 000,604,928 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/08/29 22:12:28 | 000,990,592 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 22:11:08 | 000,208,384 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 22:10:56 | 000,728,576 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/07/27 22:44:42 | 000,581,632 | -H-- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/06/28 17:54:00 | 000,009,472 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/03/05 23:49:36 | 000,011,136 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/03 00:31:04 | 000,013,056 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 00:31:02 | 000,034,176 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/01/02 04:21:44 | 000,717,296 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2005/08/02 15:00:36 | 000,232,192 | RH-- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/09/29 18:28:36 | 000,016,292 | -H-- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/30 16:58:41 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/17 23:05:21 | 000,000,000 | -H-D | M]

[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/02 21:40:24 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/12/03 17:47:02 | 000,001,538 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/03 17:47:02 | 000,000,947 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/03 17:47:02 | 000,000,769 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/03 17:47:02 | 000,001,135 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/07/26 01:17:42 | 000,001,665 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 3 more lines...
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (PriceGongCtrl Class) - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.5.0\PriceGongIE.dll (PriceGong)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [F5D8071] C:\Program Files\Belkin\F5D8071v1\Belkinwcui.exe (Belkin)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [MobileConnect] C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe (Vodafone)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe ( )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\rcaiani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\rcaiani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/01 21:26:20 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 06:14:29 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\rcaiani\Desktop\mbam-setup.exe
[2011/03/10 06:09:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
[2011/03/10 03:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/03/10 03:21:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/03/10 02:13:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/08 03:25:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/08 01:53:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\rcaiani\Local Settings\Application Data\Help
[2011/03/08 00:53:34 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\rcaiani\Start Menu\Programs\Windows Safemode
[2011/02/20 09:35:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Citrix
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Citrix
[2011/02/17 23:19:35 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Downloaded Installations
[2011/02/17 23:05:40 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Java
[2011/02/17 23:05:21 | 000,157,472 | -H-- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/02/17 23:05:21 | 000,145,184 | -H-- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/02/17 23:05:21 | 000,145,184 | -H-- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2011/03/10 06:20:59 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/10 06:20:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/10 06:17:05 | 004,286,145 | ---- | M] () -- C:\Documents and Settings\rcaiani\Desktop\george.exe
[2011/03/10 06:14:29 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\rcaiani\Desktop\mbam-setup.exe
[2011/03/10 06:12:02 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
[2011/03/10 05:51:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/10 02:32:47 | 000,000,288 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~17358644
[2011/03/10 02:32:47 | 000,000,176 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~17358644r
[2011/03/10 02:15:33 | 000,000,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18079540
[2011/03/10 02:15:31 | 000,672,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\18079540.exe
[2011/03/10 00:56:05 | 000,436,004 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/10 00:56:05 | 000,068,668 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/10 00:52:55 | 000,014,863 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/03/10 00:51:59 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/08 00:53:38 | 000,000,794 | -H-- | M] () -- C:\Documents and Settings\rcaiani\Desktop\Windows Safemode.lnk
[2011/02/18 14:03:15 | 000,001,917 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/16 22:07:16 | 000,001,729 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files Created - No Company Name ==========

[2011/03/10 06:17:05 | 004,286,145 | ---- | C] () -- C:\Documents and Settings\rcaiani\Desktop\george.exe
[2011/03/10 02:21:43 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17358644r
[2011/03/10 02:21:42 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17358644
[2011/03/10 02:15:33 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18079540
[2011/03/10 02:15:31 | 000,672,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18079540.exe
[2011/03/08 00:53:38 | 000,000,794 | -H-- | C] () -- C:\Documents and Settings\rcaiani\Desktop\Windows Safemode.lnk
[2011/01/30 16:58:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/28 10:01:17 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/05/09 14:00:55 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/22 03:00:05 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/08/28 15:16:16 | 000,130,238 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2009/04/25 22:31:06 | 000,002,048 | RH-- | C] () -- C:\WINDOWS\System32\drivers\rt73.bin
[2006/07/21 04:58:00 | 001,662,976 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/21 04:58:00 | 001,519,616 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/07/21 04:58:00 | 001,470,464 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/21 04:58:00 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/07/21 04:58:00 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/21 04:58:00 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/21 04:58:00 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/07/21 04:58:00 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/07/21 04:58:00 | 000,098,304 | -H-- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/01/02 04:30:04 | 000,000,256 | -H-- | C] () -- C:\WINDOWS\_delis32.ini
[2006/01/02 04:27:19 | 000,000,510 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/01 21:29:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/01/01 21:22:54 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/01/01 13:13:37 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/01 13:12:19 | 002,136,624 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/01/01 08:06:55 | 000,007,680 | -H-- | C] () -- C:\Documents and Settings\rcaiani\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/04 12:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,436,004 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,068,668 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >

4th log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6042

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/10/2011 9:06:00 AM
mbam-log-2011-03-10 (09-06-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 343191
Time elapsed: 2 hour(s), 26 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\scroft\application data\Gaicly\ycaw.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\03102011_061831\c_documents and settings\all users\application data\cdatjmygyahyi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\_OTL\movedfiles\03102011_061831\c_documents and settings\all users\application data\kkttwanfnwbvi.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Thanks ever so much for picking up this request, looks like you have saved my PC.

Cheers
Steve
  • 0

#5
RKinner
Posted 13 March 2011 - 07:10 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c 


:OTL
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - File not found
[2011/03/10 02:21:43 | 000,000,176 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17358644r
[2011/03/10 02:21:42 | 000,000,288 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17358644
[2011/03/10 02:15:33 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18079540
[2011/03/10 02:15:31 | 000,672,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\18079540.exe
[2011/03/08 00:53:38 | 000,000,794 | -H-- | C] () -- C:\Documents and Settings\rcaiani\Desktop\Windows Safemode.lnk

:Files
c:\documents and settings\scroft\application data\Gaicly
C:\Documents and Settings\All Users\Application Data\AVG10

     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Make sure your computer is set to show hidden files:
* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.


Right click on the Start button and select explore. Navigate to C:\Documents and Settings\All Users\Application Data\

If you see any files that end in .exe or .dll Delete them. Any files or folders which have 4-8 digits, ~ + 4-8 digits or ~ + 4-8 digits + r should be deleted.

Then run OTL again Quick Scan and post the log.

Ron
  • 0

#6
RKinner
Posted 13 March 2011 - 07:15 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
You have had AVG installed on your PC. Combofix is allergic to AVG for some reason so it and all traces need to be removed before running Combofix.

Also Search All Files, Hidden and System files for

internetexplorerupdate.exe

and delete it if you find it.

Ron
  • 0

#7
Ihatemalwaretoo
Posted 15 March 2011 - 06:34 PM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron - thanks for your continued help, please see below the first and second logs:
All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart deleted successfully.
C:\Documents and Settings\All Users\Application Data\~17358644r moved successfully.
C:\Documents and Settings\All Users\Application Data\~17358644 moved successfully.
C:\Documents and Settings\All Users\Application Data\18079540 moved successfully.
File C:\Documents and Settings\All Users\Application Data\18079540.exe not found.
C:\Documents and Settings\rcaiani\Desktop\Windows Safemode.lnk moved successfully.
========== FILES ==========
c:\documents and settings\scroft\application data\Gaicly folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10\Cfg folder moved successfully.
C:\Documents and Settings\All Users\Application Data\AVG10 folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.HOME
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.HOME.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Ctx_StreamingSvc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: rcaiani
->Temp folder emptied: 50931 bytes
->Temporary Internet Files folder emptied: 74480761 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 1315 bytes

User: scroft
->Temp folder emptied: 72005 bytes
->Temporary Internet Files folder emptied: 16781124 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 611 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32948 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 87.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03142011_112347

Files\Folders moved on Reboot...
C:\Documents and Settings\rcaiani\Local Settings\Temporary Internet Files\Content.IE5\C1AJWLQV\296938-windowssafemode-malware-virus-removal[1] moved successfully.

Registry entries deleted on Reboot...

OTL (2nd log):
OTL logfile created on: 3/14/2011 11:35:52 AM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\rcaiani\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 573.00 Mb Available Physical Memory | 60.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1488 2976 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 15.62 Gb Free Space | 20.96% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: rcaiani | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
PRC - [2010/12/21 12:43:52 | 000,886,176 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe
PRC - [2010/12/21 12:43:06 | 000,120,232 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe
PRC - [2010/02/01 12:06:06 | 000,320,832 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
PRC - [2009/09/18 18:48:28 | 000,009,216 | -H-- | M] (Vodafone) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
PRC - [2008/04/14 12:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/19 13:48:08 | 001,630,208 | -H-- | M] (Belkin) -- C:\Program Files\Belkin\F5D8071v1\Belkinwcui.exe


========== Modules (SafeList) ==========

MOD - [2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
MOD - [2010/12/21 12:25:40 | 000,710,056 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\system32\CtxSbxHook.DLL
MOD - [2010/12/21 12:23:04 | 000,234,920 | -H-- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\system32\radeaphook.dll
MOD - [2010/08/23 16:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/12/21 12:43:52 | 000,886,176 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\Streaming Client\RadeSvc.exe -- (RadeSvc)
SRV - [2010/12/21 12:43:06 | 000,120,232 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\Streaming Client\RadeHlprSvc.exe -- (RadeHlprSvc)
SRV - [2010/02/01 12:06:06 | 000,320,832 | -H-- | M] (Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe -- (CdfSvc)
SRV - [2009/09/18 18:48:28 | 000,009,216 | -H-- | M] (Vodafone) [Auto | Running] -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe -- (VMCService)
SRV - [2009/07/26 00:38:20 | 000,655,624 | -H-- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/12/01 18:59:52 | 000,033,752 | -H-- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/08/15 12:46:20 | 000,284,016 | -H-- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)


========== Driver Services (SafeList) ==========

DRV - [2010/12/09 06:19:18 | 000,200,312 | -H-- | M] (Citrix Systems, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\CtxSbx.sys -- (CtxSbx)
DRV - [2010/12/09 06:19:18 | 000,058,488 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxpidmn.sys -- (ctxpidmn)
DRV - [2010/01/19 01:32:56 | 000,031,280 | -H-- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdfdrv.sys -- (cdfdrv)
DRV - [2009/07/23 12:57:22 | 000,112,640 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/07/23 12:57:22 | 000,102,528 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/07/23 12:57:22 | 000,100,480 | RH-- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbfake.sys -- (hwusbfake)
DRV - [2007/06/19 00:12:04 | 000,016,768 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2006/11/01 16:55:48 | 000,604,928 | -H-- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/08/29 22:12:28 | 000,990,592 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 22:11:08 | 000,208,384 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/08/29 22:10:56 | 000,728,576 | -H-- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/07/27 22:44:42 | 000,581,632 | -H-- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)
DRV - [2006/06/28 17:54:00 | 000,009,472 | -H-- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2006/03/05 23:49:36 | 000,011,136 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvsmu.sys -- (nvsmu)
DRV - [2006/03/03 00:31:04 | 000,013,056 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/03/03 00:31:02 | 000,034,176 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2006/01/27 08:04:16 | 000,099,584 | -H-- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/01/02 04:21:44 | 000,717,296 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2005/08/02 15:00:36 | 000,232,192 | RH-- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2004/09/29 18:28:36 | 000,016,292 | -H-- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCANDIS5.SYS -- (PCANDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/01/30 16:58:41 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/17 23:05:21 | 000,000,000 | -H-D | M]

[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/02/17 23:05:22 | 000,000,000 | -H-D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/02 21:40:24 | 000,472,808 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/12/03 17:47:02 | 000,001,538 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/12/03 17:47:02 | 000,000,947 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/12/03 17:47:02 | 000,000,769 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/12/03 17:47:02 | 000,001,135 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2011/03/14 11:23:49 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (PriceGongCtrl Class) - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.5.0\PriceGongIE.dll (PriceGong)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [F5D8071] C:\Program Files\Belkin\F5D8071v1\Belkinwcui.exe (Belkin)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\CHDAudPropShortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe ( )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.ado...obat/nos/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\rcaiani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\rcaiani\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/01 21:26:20 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 13:44:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/10 10:30:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rcaiani\Application Data\PriceGong
[2011/03/10 09:17:25 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/10 09:11:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/10 09:11:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/10 09:11:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/10 09:11:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/10 09:10:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/10 09:10:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/10 06:31:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\rcaiani\Application Data\Malwarebytes
[2011/03/10 06:31:26 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/10 06:31:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/10 06:31:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/10 06:31:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/10 06:31:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/10 06:14:29 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\rcaiani\Desktop\mbam-setup.exe
[2011/03/10 06:09:25 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
[2011/03/10 03:21:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/03/10 02:13:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/08 03:25:03 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/03/08 01:53:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\rcaiani\Local Settings\Application Data\Help
[2011/03/08 00:53:34 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\rcaiani\Start Menu\Programs\Windows Safemode
[2011/02/20 09:35:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Citrix
[2011/02/17 23:20:45 | 000,000,000 | -H-D | C] -- C:\Program Files\Citrix
[2011/02/17 23:19:35 | 000,000,000 | -H-D | C] -- C:\WINDOWS\Downloaded Installations
[2011/02/17 23:05:40 | 000,000,000 | -H-D | C] -- C:\Program Files\Common Files\Java

========== Files - Modified Within 30 Days ==========

[2011/03/14 11:25:44 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/14 11:25:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/14 11:23:49 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/03/14 08:34:21 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/10 14:12:00 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/10 10:37:58 | 000,000,313 | ---- | M] () -- C:\Documents and Settings\rcaiani\My Documents\My Documents.lnk
[2011/03/10 09:17:31 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/10 08:15:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/10 06:31:26 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/10 06:17:05 | 004,286,145 | R--- | M] () -- C:\Documents and Settings\rcaiani\Desktop\george.exe
[2011/03/10 06:14:29 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\rcaiani\Desktop\mbam-setup.exe
[2011/03/10 06:09:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\rcaiani\Desktop\OTL.exe
[2011/03/10 00:56:05 | 000,436,004 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/10 00:56:05 | 000,068,668 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/10 00:52:55 | 000,014,863 | -H-- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/02/18 14:03:15 | 000,001,917 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/16 22:07:16 | 000,001,729 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk

========== Files Created - No Company Name ==========

[2011/03/10 10:37:58 | 000,000,313 | ---- | C] () -- C:\Documents and Settings\rcaiani\My Documents\My Documents.lnk
[2011/03/10 09:17:31 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/03/10 09:17:26 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/10 09:11:02 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/10 09:11:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/10 09:11:02 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/10 09:11:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/10 09:11:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/10 06:31:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/10 06:17:05 | 004,286,145 | R--- | C] () -- C:\Documents and Settings\rcaiani\Desktop\george.exe
[2011/01/30 16:58:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/28 10:01:17 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/05/09 14:00:55 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/22 03:00:05 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/08/28 15:16:16 | 000,130,238 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2009/04/25 22:31:06 | 000,002,048 | RH-- | C] () -- C:\WINDOWS\System32\drivers\rt73.bin
[2006/07/21 04:58:00 | 001,662,976 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/07/21 04:58:00 | 001,519,616 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/07/21 04:58:00 | 001,470,464 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/07/21 04:58:00 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/07/21 04:58:00 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/07/21 04:58:00 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/07/21 04:58:00 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/07/21 04:58:00 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/07/21 04:58:00 | 000,098,304 | -H-- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/01/02 04:30:04 | 000,000,256 | -H-- | C] () -- C:\WINDOWS\_delis32.ini
[2006/01/02 04:27:19 | 000,000,510 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/01 21:29:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/01/01 21:22:54 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/01/01 13:13:37 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/01 13:12:19 | 002,136,624 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/01/01 08:06:55 | 000,007,680 | -H-- | C] () -- C:\Documents and Settings\rcaiani\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/08/04 12:00:00 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,436,004 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,068,668 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | -H-- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/03/10 01:26:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Bitmeter2
[2006/01/02 04:24:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2011/03/10 03:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2009/08/01 14:28:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/10/30 00:05:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Quark
[2010/12/20 22:51:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2009/07/23 15:10:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/07/05 20:56:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\rcaiani\Application Data\BitMeter2
[2011/03/10 10:30:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rcaiani\Application Data\PriceGong
[2010/12/30 03:47:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\rcaiani\Application Data\Vodafone

========== Purity Check ==========



< End of report >

Kind Regards
Steve
  • 0

#8
Ihatemalwaretoo
Posted 15 March 2011 - 06:41 PM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Using explorer and checking the C Hard and Local Drive i searched using File Name / Key Word "AGC" however the search did not returned anything, I did the same search for internetexplorerupdate.exe, again nothing was returned.

Not sure whether that was to be expected or is a good thing or I am simply doing something wrong?

So nothing deleted I am afraid, presuming I am missing something obvious?

Kind Regards
Steve
  • 0

#9
RKinner
Posted 15 March 2011 - 07:07 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
AGC was a typo. It should have been AVG.

Try to run Combofix.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:
  • 0

#10
Ihatemalwaretoo
Posted 16 March 2011 - 03:53 AM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron,

Please see below ComboFix.txt:ComboFix 11-03-15.02 - rcaiani 03/14/2011 12:47:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.567 [GMT 0:00]
Running from: c:\documents and settings\rcaiani\Desktop\george.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\rcaiani\Application Data\PriceGong
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\1.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\a.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\b.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\c.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\d.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\e.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\f.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\g.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\h.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\i.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\J.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\k.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\l.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\m.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\n.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\o.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\p.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\q.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\r.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\s.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\t.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\u.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\v.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\w.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\x.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\y.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\z.xml
c:\documents and settings\scroft\Application Data\PriceGong
c:\documents and settings\scroft\Application Data\PriceGong\Data\mru.xml
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-10 14:35 . 2011-03-10 14:35 -------- d-----w- c:\documents and settings\scroft\Application Data\Malwarebytes
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\documents and settings\rcaiani\Application Data\Malwarebytes
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-10 06:31 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-10 06:31 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-10 03:21 . 2011-03-10 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-10 02:13 . 2011-03-10 02:13 -------- d-----w- C:\_OTL
2011-03-08 03:25 . 2011-03-08 03:25 -------- d--h--w- c:\documents and settings\Administrator
2011-03-08 01:53 . 2011-03-08 01:53 -------- d--h--w- c:\documents and settings\rcaiani\Local Settings\Application Data\Help
2011-02-21 08:26 . 2011-02-21 08:26 -------- d--h--w- c:\documents and settings\scroft\advfn
2011-02-20 09:35 . 2011-02-20 19:51 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-17 23:22 . 2011-02-17 23:22 -------- d--h--w- c:\documents and settings\Ctx_StreamingSvc
2011-02-17 23:20 . 2011-02-17 23:22 -------- d--h--w- c:\program files\Citrix
2011-02-17 23:20 . 2011-02-17 23:20 -------- d--h--w- c:\program files\Common Files\Citrix
2011-02-17 23:19 . 2011-02-17 23:19 -------- d--h--w- c:\windows\Downloaded Installations
2011-02-17 23:05 . 2011-02-17 23:05 -------- d--h--w- c:\program files\Common Files\Java
2011-02-17 23:05 . 2011-02-02 21:40 472808 ---ha-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-16 10:05 . 2011-02-17 22:39 -------- d--h--w- c:\documents and settings\scroft\Application Data\Exyr
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-05-08 09:29 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2009-01-21 21:07 73728 ---ha-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_09.37.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-14 12:58 . 2011-03-14 12:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2004-08-04 12:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-08-10 22:48 288056 ---ha-w- c:\program files\PriceGong\1.5.0\PriceGongIE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-21 86016]
"nwiz"="nwiz.exe" [2006-07-21 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"F5D8071"="c:\program files\Belkin\F5D8071v1\Belkinwcui.exe" [2007-04-19 1630208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-2 113664]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2009-6-21 1462272]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Schwab\\SSPro\\SSPro.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/2/2006 4:21 AM 717296]
R1 cdfdrv;cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [1/19/2010 1:32 AM 31280]
R1 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [12/9/2010 6:19 AM 58488]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [12/9/2010 6:19 AM 200312]
R2 RadeHlprSvc;Citrix Streaming Helper Service;c:\program files\Citrix\Streaming Client\RadeHlprSvc.exe [12/21/2010 12:43 PM 120232]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [12/21/2010 12:43 PM 886176]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [9/18/2009 6:48 PM 9216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 11:52 PM 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 12:46 PM 284016]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [12/20/2010 10:52 PM 112640]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [12/21/2010 7:06 PM 100480]
S3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\DRIVERS\vfilter.sys --> c:\windows\system32\DRIVERS\vfilter.sys [?]
S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys --> c:\windows\system32\DRIVERS\virtualnet.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 23:52]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: {F90E622F-061A-42CD-ACE1-550FAAC6913E} = 192.168.1.254
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'lsass.exe'(740)
c:\program files\Citrix\system32\radeaphook.dll
c:\program files\Citrix\system32\CtxSbxHook.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(3824)
c:\program files\Citrix\system32\radeaphook.dll
c:\program files\Citrix\system32\CtxSbxHook.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-14 13:07:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-14 13:07
ComboFix2.txt 2011-03-10 09:43
.
Pre-Run: 16,706,154,496 bytes free
Post-Run: 16,691,257,344 bytes free
.
- - End Of File - - E468DBDF730576812B5C1252A3D44C01


Please see the below log that is generated after combi fix is complete:
ComboFix 11-03-15.02 - rcaiani 03/14/2011 12:47:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.959.567 [GMT 0:00]
Running from: c:\documents and settings\rcaiani\Desktop\george.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\rcaiani\Application Data\PriceGong
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\1.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\a.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\b.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\c.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\d.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\e.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\f.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\g.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\h.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\i.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\J.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\k.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\l.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\m.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\n.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\o.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\p.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\q.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\r.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\s.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\t.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\u.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\v.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\w.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\x.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\y.xml
c:\documents and settings\rcaiani\Application Data\PriceGong\Data\z.xml
c:\documents and settings\scroft\Application Data\PriceGong
c:\documents and settings\scroft\Application Data\PriceGong\Data\mru.xml
.
Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\kernel32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-10 14:35 . 2011-03-10 14:35 -------- d-----w- c:\documents and settings\scroft\Application Data\Malwarebytes
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\documents and settings\rcaiani\Application Data\Malwarebytes
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-10 06:31 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-10 06:31 . 2011-03-10 06:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-10 06:31 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-10 03:21 . 2011-03-10 03:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-10 02:13 . 2011-03-10 02:13 -------- d-----w- C:\_OTL
2011-03-08 03:25 . 2011-03-08 03:25 -------- d--h--w- c:\documents and settings\Administrator
2011-03-08 01:53 . 2011-03-08 01:53 -------- d--h--w- c:\documents and settings\rcaiani\Local Settings\Application Data\Help
2011-02-21 08:26 . 2011-02-21 08:26 -------- d--h--w- c:\documents and settings\scroft\advfn
2011-02-20 09:35 . 2011-02-20 19:51 -------- d--h--w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-17 23:22 . 2011-02-17 23:22 -------- d--h--w- c:\documents and settings\Ctx_StreamingSvc
2011-02-17 23:20 . 2011-02-17 23:22 -------- d--h--w- c:\program files\Citrix
2011-02-17 23:20 . 2011-02-17 23:20 -------- d--h--w- c:\program files\Common Files\Citrix
2011-02-17 23:19 . 2011-02-17 23:19 -------- d--h--w- c:\windows\Downloaded Installations
2011-02-17 23:05 . 2011-02-17 23:05 -------- d--h--w- c:\program files\Common Files\Java
2011-02-17 23:05 . 2011-02-02 21:40 472808 ---ha-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-16 10:05 . 2011-02-17 22:39 -------- d--h--w- c:\documents and settings\scroft\Application Data\Exyr
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-05-08 09:29 472808 ---ha-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2009-01-21 21:07 73728 ---ha-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-10_09.37.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-14 12:58 . 2011-03-14 12:58 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2004-08-04 12:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-08-10 22:48 288056 ---ha-w- c:\program files\PriceGong\1.5.0\PriceGongIE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-21 86016]
"nwiz"="nwiz.exe" [2006-07-21 1519616]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"F5D8071"="c:\program files\Belkin\F5D8071v1\Belkinwcui.exe" [2007-04-19 1630208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-1-2 113664]
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2009-6-21 1462272]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Schwab\\SSPro\\SSPro.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/2/2006 4:21 AM 717296]
R1 cdfdrv;cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [1/19/2010 1:32 AM 31280]
R1 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [12/9/2010 6:19 AM 58488]
R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [12/9/2010 6:19 AM 200312]
R2 RadeHlprSvc;Citrix Streaming Helper Service;c:\program files\Citrix\Streaming Client\RadeHlprSvc.exe [12/21/2010 12:43 PM 120232]
R2 RadeSvc;Citrix Streaming Service;c:\program files\Citrix\Streaming Client\RadeSvc.exe [12/21/2010 12:43 PM 886176]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [9/18/2009 6:48 PM 9216]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 11:52 PM 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 12:46 PM 284016]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [12/20/2010 10:52 PM 112640]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [12/21/2010 7:06 PM 100480]
S3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\DRIVERS\vfilter.sys --> c:\windows\system32\DRIVERS\vfilter.sys [?]
S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys --> c:\windows\system32\DRIVERS\virtualnet.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 23:52]
.
2011-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: {F90E622F-061A-42CD-ACE1-550FAAC6913E} = 192.168.1.254
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'lsass.exe'(740)
c:\program files\Citrix\system32\radeaphook.dll
c:\program files\Citrix\system32\CtxSbxHook.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(3824)
c:\program files\Citrix\system32\radeaphook.dll
c:\program files\Citrix\system32\CtxSbxHook.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Citrix\System32\CdfSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-14 13:07:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-14 13:07
ComboFix2.txt 2011-03-10 09:43
.
Pre-Run: 16,706,154,496 bytes free
Post-Run: 16,691,257,344 bytes free
.
- - End Of File - - E468DBDF730576812B5C1252A3D44C01

Thanks ever so much,
Steve
  • 0

Advertisements

#11
RKinner
Posted 16 March 2011 - 08:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Combofix found an infected system file and replaced it so hopefully that was the end of it. How is it running now?

I don't see an anti-virus so download Avast 6 and install the free version:

http://www.avast.com...ivirus-download

It will want you to register. They don't ask much so go ahead an do it.

When you install it they will ask if you want to run a boot-time scan. After an infection like you had this is a good idea tho it will take a long time to complete and you might need to check back with it once in a while.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. ] Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#12
Ihatemalwaretoo
Posted 17 March 2011 - 12:42 AM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron,

Thanks ever so much for the continued support on this matter.

I installed and then ran a boot-time scan via Avast, this took a while, highlighted infected files and then gave 1-9 options of which one was to delete but when using the arrows keys to move up and select one it then proceeded to start to scan further which again took a while and the automatically re-booted - so I am not sure whether it simply scanned and did not remove the infected items. Is there any way I can check whether infected files have been removed, or should I run the scan again and not selected the arrrow keys but simply the number to delete infected files noted?

The below files have not been digitally signed:
nv4_disp.dll
nv4_mini.sys
cutepdf.ppd
mdigraph.dll
mdiui.dll
ps5ui.dll
pscript5.dll

After the scan had finished I selected the CLOSE.

Log:
Vino's Event Viewer v01c run on Windows XP in English
Report run at 3/14/2011 7:21:13 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks ever so much,
Steve
  • 0

#13
RKinner
Posted 17 March 2011 - 12:58 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
IF you right click on the Avast ball in your systray and select Open Avast! User Interface then click on Scan Computer you will see a Scan Logs under Scan Computer. Click on Scan Logs and it should allow you to see the logs. Don't think you can copy them tho.

Ron
  • 0

#14
Ihatemalwaretoo
Posted 17 March 2011 - 01:06 AM

Ihatemalwaretoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Ron,

Thanks I can see the logs and you are right I can not cut and paste these to you, I could do a screen dump however I am not allowed to upload this using the attachment option here (pasted screen dump into .ppt).

I have 4 options against each, delete, repair, do nothing, move to chest - is there one option I should select against all?

Thanks
Steve
  • 0

#15
RKinner
Posted 17 March 2011 - 01:13 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
You would have to convert the dump to a .jpg to attach it to a post.

It sort of depends on what file. If it's a system file then repair might be the first thing to try. (Google the name and see how many hits you get. 10,000 + and the odds are it is a Microsoft file. ) Otherwise Move to Chest is usually a safe way to go. IF it turns out you need the file then you can get it out of the chest. OF course if the file is located in C:\Qoobox or a sub folder or in a subfolder of OTL then it has already been removed from play and you can go ahead and delete it.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP