Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32:Confi[Wrm] & Win32:Rootkit-gen[Rtk]

Started by ironvin , Apr 12 2011 05:45 AM

This topic is locked

#16
ironvin

Posted 19 April 2011 - 08:16 PM

Member

Topic Starter
Member
15 posts

Heh heh..
Did the combofix thing.. i wasn't able to install recovery console cause of boot.ini file was corrupted or somethin'. this pc has a lot of issue ya know.

i can probably do a online scan later tonight, and ill be right back later.

anyways, here the log file after the scan.

ComboFix 11-04-19.02 - Nelvin 04/20/2011 9:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.512.276 [GMT 8:00]
Running from: c:\documents and settings\Nelvin\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\TheChatPhone Toolbar\tbHElper.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-20 01:09 . 2011-04-20 01:09 -------- d-----w- c:\program files\ESET
2011-04-18 20:20 . 2009-10-22 05:54 37392 ----a-w- c:\windows\system32\drivers\54602662.sys
2011-04-18 20:20 . 2009-10-09 15:31 315408 ----a-w- c:\windows\system32\drivers\5460266.sys
2011-04-18 20:20 . 2009-09-25 09:59 128016 ----a-w- c:\windows\system32\drivers\54602661.sys
2011-04-18 08:55 . 2011-04-18 08:55 -------- d-----w- C:\_OTL
2011-04-17 20:17 . 2011-04-17 20:17 -------- d-----w- c:\program files\Frhed
2011-04-16 23:04 . 2002-08-05 02:46 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\ctor.dll
2011-04-16 23:04 . 2002-08-01 19:10 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\DotNetInstaller.exe
2011-04-16 23:04 . 2002-08-01 18:20 634880 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iKernel.dll
2011-04-16 23:04 . 2002-08-01 18:20 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iscript.dll
2011-04-16 23:04 . 2002-08-01 18:20 151552 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\iuser.dll
2011-04-16 23:04 . 2011-04-16 23:04 270468 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\Setup.dll
2011-04-16 23:04 . 2011-04-16 23:04 159876 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0700\Intel32\IGdi.dll
2011-04-11 06:57 . 2011-04-11 06:57 -------- d-----w- c:\documents and settings\Nelvin\Application Data\Unity
2011-04-11 05:32 . 2011-04-11 05:32 -------- d-----w- c:\documents and settings\Nelvin\Local Settings\Application Data\Unity
2011-04-08 07:11 . 2011-04-08 07:11 -------- d-----w- c:\documents and settings\Nelvin\Application Data\Malwarebytes
2011-04-08 07:11 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 07:11 . 2011-04-08 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-08 07:11 . 2011-04-08 07:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-08 07:11 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 13:55 . 2011-04-07 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2011-04-07 13:54 . 2011-04-07 13:54 -------- d-----w- c:\program files\TechSmith
2011-04-07 13:54 . 2011-04-07 13:54 -------- d-----w- c:\documents and settings\Nelvin\Local Settings\Application Data\TechSmith
2011-04-05 14:50 . 2006-10-18 18:05 232448 ----a-w- c:\windows\system32\mp3fhg.acm
2011-04-05 14:50 . 2011-03-19 19:00 151552 ----a-w- c:\windows\system32\ac3acm.acm
2011-04-05 14:50 . 2010-11-03 18:08 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2011-04-05 14:50 . 2011-03-24 19:28 631808 ----a-w- c:\windows\system32\xvidcore.dll
2011-04-05 14:50 . 2011-03-24 19:35 243200 ----a-w- c:\windows\system32\xvidvfw.dll
2011-04-05 14:50 . 2011-03-29 08:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-04-05 14:50 . 2011-04-05 14:53 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-04-02 02:57 . 2009-10-20 10:47 113280 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-04-02 02:57 . 2009-10-12 07:21 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2011-04-02 02:57 . 2009-09-10 06:55 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-04-02 02:57 . 2007-08-08 20:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-04-02 02:56 . 2011-04-02 02:58 -------- d-----w- c:\program files\Globe Broadband
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-02 10:43 . 2010-09-09 14:54 175616 ----a-w- c:\windows\system32\unrar.dll
2011-02-24 02:43 . 2010-08-16 02:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-24 02:43 . 2011-02-24 02:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 15:04 . 2000-12-31 17:14 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2000-12-31 17:14 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2011-03-08 11:32 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-23 14:56 . 2000-12-31 17:14 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2000-12-31 17:14 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2000-12-31 17:14 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2000-12-31 17:14 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2000-12-31 17:14 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2000-12-31 17:14 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2000-12-31 17:14 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-06 01:06 . 2004-07-17 09:36 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77245F75-3D8C-40CD-8F64-F9AA1388406F}]
2010-11-12 08:06 2646528 ------w- c:\program files\TheChatPhone Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{01193D00-C7F9-4C26-92A2-1CA91F170068}"= "c:\program files\TheChatPhone Toolbar\tbcore3.dll" [2010-11-12 2646528]
.
[HKEY_CLASSES_ROOT\clsid\{01193d00-c7f9-4c26-92a2-1ca91f170068}]
[HKEY_CLASSES_ROOT\TBSB02381.TBSB02381.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB02381.TBSB02381]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{01193D00-C7F9-4C26-92A2-1CA91F170068}"= "c:\program files\TheChatPhone Toolbar\tbcore3.dll" [2010-11-12 2646528]
.
[HKEY_CLASSES_ROOT\clsid\{01193d00-c7f9-4c26-92a2-1ca91f170068}]
[HKEY_CLASSES_ROOT\TBSB02381.TBSB02381.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB02381.TBSB02381]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-04-05 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
.
c:\documents and settings\Nelvin\Start Menu\Programs\Startup\
setup_9.0.0.722_18.04.2011_10-51.lnk - c:\documents and settings\Nelvin\Desktop\Virus Removal Tool\setup_9.0.0.722_18.04.2011_10-51\startup.exe [2011-4-19 72208]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nelvin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nelvin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nelvin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Nelvin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 16:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 02:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 15:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 07:15 13351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-04-05 15:53 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gupdate"=2 (0x2)
"QueryExplorer Service"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 54602662;54602662 Boot Guard Driver;c:\windows\system32\drivers\54602662.sys [4/19/2011 4:20 AM 37392]
R1 54602661;54602661;c:\windows\system32\drivers\54602661.sys [4/19/2011 4:20 AM 128016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/8/2011 7:32 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/1/2001 1:14 AM 301528]
R1 setup_9.0.0.722_18.04.2011_10-51drv;setup_9.0.0.722_18.04.2011_10-51drv;c:\windows\system32\drivers\5460266.sys [4/19/2011 4:20 AM 315408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/1/2001 1:14 AM 19544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2001 1:14 AM 136176]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [4/2/2011 10:57 AM 100736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/8/2011 3:11 PM 38224]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [1/1/2001 8:29 AM 9344]
S3 uti4mjkw;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti4mjkw.sys --> c:\windows\system32\Drivers\uti4mjkw.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2000-12-31 17:14]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2000-12-31 17:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&invocationType=tb50-ie-aolTB50CL-ab-en-us&query=facebook
mStart Page = hxxp://search.thechatphone.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {1932A09B-0BAF-4E6B-81CF-647CC81A980B} = 202.78.117.7 210.4.2.61
FF - ProfilePath - c:\documents and settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aolTB50CL-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.thechatphone.com/
FF - prefs.js: keyword.URL - hxxp://search.thechatphone.com/?q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Smart Bookmarks Bar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: AOL Toolbar: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1} - %profile%\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
FF - Ext: TheChatPhone Toolbar: {16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06} - %profile%\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-HBLiteSA - c:\program files\HBLite\bin\11.0.264.0\HBLiteSA.exe
AddRemove-RaidenII - d:\games\Raiden2\Loader.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 10:04
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-20 10:10:46
ComboFix-quarantined-files.txt 2011-04-20 02:10
.
Pre-Run: 2,670,166,016 bytes free
Post-Run: 2,653,532,160 bytes free
.
- - End Of File - - 88A656CE63D1B38A99E7B068C28ED4FB

#17
Salagubang

Posted 19 April 2011 - 08:34 PM

Trusted Helper

Malware Removal
3,891 posts

=====================================

Some reminders:

µTorrent, Limewire are Peer-to-peer (P2P) programs. These applications can provide medium for entry of unverified data which tend to corrupt your system - a great way to infect your computer. Those who participate in P2P file sharing both provide files for others to download by uploading them onto their computers. They also download the files of others who have uploaded music and videos onto their own computers. Many times, however, networks will make it so your own files can be uploaded by others.

You may consider that P2P downloads are one of the most common way to geting infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using P2P programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware.

You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

======================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.thechatphone.com
IE - HKCU\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\TheChatPhone Toolbar\tbhelper.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..browser.startup.homepage: "http://search.thechatphone.com/"
FF - prefs.js..keyword.URL: "http://search.thechatphone.com/?q="
FF - prefs.js..extensions.enabledItems: {16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}:1.0.2
[2011/01/13 20:14:55 | 000,000,000 | ---D | M] (TheChatPhone Toolbar) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}
[2011/01/14 07:18:16 | 000,000,655 | ---- | M] () -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\searchplugins\thechatphone-powered-by-google.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (TBSB02381 Class) - {77245F75-3D8C-40CD-8F64-F9AA1388406F} - C:\Program Files\TheChatPhone Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (TheChatPhone Toolbar) - {01193D00-C7F9-4C26-92A2-1CA91F170068} - C:\Program Files\TheChatPhone Toolbar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (TheChatPhone Toolbar) - {01193D00-C7F9-4C26-92A2-1CA91F170068} - C:\Program Files\TheChatPhone Toolbar\tbcore3.dll ()
DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\5460266.sys -- (setup_9.0.0.722_18.04.2011_10-51drv)
DRV - [2009/09/25 17:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\54602661.sys -- (54602661)

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#18
ironvin

Posted 20 April 2011 - 07:30 AM

Member

Topic Starter
Member
15 posts

Here's the log after reboot.

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{CA3EB689-8F09-4026-AA10-B9534C691CE0} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ not found.
File C:\Program Files\TheChatPhone Toolbar\tbhelper.dll not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Prefs.js: "http://search.thechatphone.com/" removed from browser.startup.homepage
Prefs.js: "http://search.thecha...tphone.com/?q=" removed from keyword.URL
Prefs.js: {16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}:1.0.2 removed from extensions.enabledItems
C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}\chrome\content\id_thechatphone folder moved successfully.
C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}\chrome\content folder moved successfully.
C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}\chrome folder moved successfully.
C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06} folder moved successfully.
C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\searchplugins\thechatphone-powered-by-google.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77245F75-3D8C-40CD-8F64-F9AA1388406F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77245F75-3D8C-40CD-8F64-F9AA1388406F}\ deleted successfully.
C:\Program Files\TheChatPhone Toolbar\tbcore3.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{01193D00-C7F9-4C26-92A2-1CA91F170068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01193D00-C7F9-4C26-92A2-1CA91F170068}\ deleted successfully.
File C:\Program Files\TheChatPhone Toolbar\tbcore3.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{01193D00-C7F9-4C26-92A2-1CA91F170068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01193D00-C7F9-4C26-92A2-1CA91F170068}\ not found.
File C:\Program Files\TheChatPhone Toolbar\tbcore3.dll not found.
Error: Unable to stop service setup_9.0.0.722_18.04.2011_10-51drv!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\setup_9.0.0.722_18.04.2011_10-51drv deleted successfully.
C:\WINDOWS\system32\drivers\5460266.sys moved successfully.
Error: Unable to stop service 54602661!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54602661 deleted successfully.
C:\WINDOWS\system32\drivers\54602661.sys moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Nelvin
->Temp folder emptied: 730 bytes
->Temporary Internet Files folder emptied: 82054 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4325884 bytes
->Google Chrome cache emptied: 112300442 bytes
->Flash cache emptied: 3076 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 111.00 mb

[EMPTYFLASH]

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: Nelvin
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.22.3 log created on 04202011_211825

Files\Folders moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Here's the Log after the quick scan.

OTL logfile created on: 4/20/2011 9:32:44 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Nelvin\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

512.00 Mb Total Physical Memory | 181.00 Mb Available Physical Memory | 35.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 18.65 Gb Total Space | 2.43 Gb Free Space | 13.00% Space Free | Partition Type: NTFS
Drive D: | 18.65 Gb Total Space | 4.89 Gb Free Space | 26.22% Space Free | Partition Type: NTFS

Computer Name: NELVINPC | User Name: Nelvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/13 08:51:02 | 001,004,088 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Chrome\Application\chrome.exe
PRC - [2011/04/08 15:10:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nelvin\My Documents\Downloads\OTL.exe
PRC - [2011/04/05 23:53:47 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2011/02/23 23:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/02/23 23:04:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2007/04/16 15:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2007/03/06 10:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
PRC - [2007/03/03 13:48:28 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2004/08/04 06:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/04/08 15:10:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nelvin\My Documents\Downloads\OTL.exe
MOD - [2011/02/23 23:04:17 | 000,197,208 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2004/08/04 06:57:02 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2011/02/23 23:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/03/06 10:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)
SRV - [2007/03/03 13:48:28 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)

========== Driver Services (SafeList) ==========

DRV - [2011/02/23 22:56:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/02/23 22:56:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/02/23 22:55:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/02/23 22:55:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/02/23 22:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/02/23 22:54:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/02/23 22:54:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/11/09 11:21:18 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\54602662.sys -- (54602662)
DRV - [2009/10/12 15:21:54 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/09/10 14:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 07:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/08/04 06:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2001/08/17 22:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 21:47:22 | 000,009,344 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NtApm.sys -- (NtApm)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://slirsredirect...&query=facebook
IE - HKCU\..\URLSearchHook: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AOL Search"
FF - prefs.js..browser.search.defaulturl: "http://search.aol.co...romesbox-en-us"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: [email protected]:1.4.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
FF - prefs.js..extensions.enabledItems: {7affbfae-c4e2-4915-8c0f-00fa3ec610a1}:5.74.1.4896
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: ""
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/24 22:49:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/08 20:11:41 | 000,000,000 | ---D | M]

[2010/08/11 21:45:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Extensions
[2011/04/20 21:18:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions
[2010/09/17 00:10:12 | 000,000,000 | ---D | M] (AOL Toolbar) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}
[2010/09/11 00:25:29 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/08/11 22:36:19 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/11 22:36:18 | 000,000,000 | ---D | M] (Smart Bookmarks Bar) -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\extensions\[email protected]
[2010/09/17 00:15:00 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Nelvin\Application Data\Mozilla\Firefox\Profiles\63ezjnun.default\searchplugins\aol-search.xml
[2011/04/11 09:54:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/04 22:50:19 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/02/24 10:45:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
File not found (No name found) -- C:\DOCUMENTS AND SETTINGS\NELVIN\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\63EZJNUN.DEFAULT\EXTENSIONS\{16AEBD03-85CA-4E9D-9626-6A9CEAE9AB06}
[2011/02/24 10:43:48 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/02/24 10:43:45 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/04/20 21:21:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (AOL Toolbar Loader) - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc)
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\windows\System32\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\windows\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\windows\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMan] C:\windows\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe (InterVideo Digital Technology Corporation)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\Nelvin\Start Menu\Programs\Startup\setup_9.0.0.722_18.04.2011_10-51.lnk = C:\Documents and Settings\Nelvin\Desktop\Virus Removal Tool\setup_9.0.0.722_18.04.2011_10-51\startup.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Nelvin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nelvin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/01/01 00:41:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/20 21:21:26 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/20 09:50:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2011/04/20 09:50:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/04/20 09:50:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/04/20 09:50:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/04/20 09:50:18 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/04/20 09:50:13 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/04/20 09:49:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/20 09:09:40 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/19 04:20:12 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\windows\System32\drivers\54602662.sys
[2011/04/19 04:20:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Desktop\Virus Removal Tool
[2011/04/18 16:55:40 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/18 04:17:07 | 000,000,000 | ---D | C] -- C:\Program Files\Frhed
[2011/04/18 04:17:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Start Menu\Programs\Frhed
[2011/04/17 07:33:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\KONAMI
[2011/04/11 14:57:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Application Data\Unity
[2011/04/11 13:32:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Local Settings\Application Data\Unity
[2011/04/08 15:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Application Data\Malwarebytes
[2011/04/08 15:11:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/08 15:11:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2011/04/08 15:11:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/08 15:11:19 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2011/04/08 15:11:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/07 22:00:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\My Documents\Snagit
[2011/04/07 21:55:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Snagit 9
[2011/04/07 21:55:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2011/04/07 21:54:53 | 000,000,000 | ---D | C] -- C:\Program Files\TechSmith
[2011/04/07 21:54:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\Local Settings\Application Data\TechSmith
[2011/04/05 22:51:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\K-Lite Codec Pack
[2011/04/05 22:50:40 | 000,151,552 | ---- | C] (fccHandler) -- C:\windows\System32\ac3acm.acm
[2011/04/05 22:50:38 | 000,237,568 | ---- | C] (www.helixcommunity.org) -- C:\windows\System32\yv12vfw.dll
[2011/04/05 22:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\K-Lite Codec Pack
[2011/04/02 10:57:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Globe Broadband
[2011/04/02 10:57:02 | 000,113,280 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\windows\System32\drivers\ewusbnet.sys
[2011/04/02 10:57:02 | 000,102,528 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\windows\System32\drivers\ewusbmdm.sys
[2011/04/02 10:57:02 | 000,100,736 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\windows\System32\drivers\ewusbdev.sys
[2011/04/02 10:57:02 | 000,024,448 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\windows\System32\drivers\ewdcsc.sys
[2011/04/02 10:56:14 | 000,000,000 | ---D | C] -- C:\Program Files\Globe Broadband
[2011/03/29 17:28:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nelvin\My Documents\NBA LIVE 2005

========== Files - Modified Within 30 Days ==========

[2011/04/20 21:25:50 | 000,186,097 | ---- | M] () -- C:\windows\System32\nvapps.xml
[2011/04/20 21:25:22 | 000,000,886 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/20 21:24:51 | 000,000,882 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/20 21:24:24 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2011/04/20 21:24:17 | 536,469,504 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/20 21:21:07 | 000,000,098 | ---- | M] () -- C:\windows\System32\drivers\etc\Hosts
[2011/04/20 08:26:12 | 000,000,284 | ---- | M] () -- C:\windows\tasks\AppleSoftwareUpdate.job
[2011/04/19 07:14:32 | 000,017,661 | ---- | M] () -- C:\Documents and Settings\Nelvin\Desktop\avptool_sysinfo.zip
[2011/04/19 04:23:24 | 000,002,225 | ---- | M] () -- C:\Documents and Settings\Nelvin\Start Menu\Programs\Startup\setup_9.0.0.722_18.04.2011_10-51.lnk
[2011/04/17 18:55:37 | 000,000,519 | ---- | M] () -- C:\Documents and Settings\Nelvin\Desktop\Shortcut to ePSXe.lnk
[2011/04/17 07:33:48 | 000,000,574 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk
[2011/04/17 02:05:52 | 000,054,272 | -H-- | M] () -- C:\Documents and Settings\Nelvin\My Documents\photothumb.db
[2011/04/15 23:31:47 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/04/15 03:35:59 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\Nelvin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/13 18:26:54 | 000,000,081 | ---- | M] () -- C:\windows\System32\asr_lkxlkt
[2011/04/08 16:05:34 | 000,436,831 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\2012.gif
[2011/04/08 15:11:26 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 22:07:45 | 015,741,952 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\tifa vs loz.avi
[2011/04/07 21:55:32 | 000,001,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Snagit 9 Editor.lnk
[2011/04/07 21:55:32 | 000,001,760 | ---- | M] () -- C:\Documents and Settings\Nelvin\Application Data\Microsoft\Internet Explorer\Quick Launch\Snagit 9.lnk
[2011/04/07 21:55:32 | 000,001,742 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Snagit 9.lnk
[2011/04/07 20:55:36 | 000,824,661 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4997.JPG
[2011/04/07 20:55:26 | 000,809,515 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4996.JPG
[2011/04/07 20:55:02 | 000,800,615 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4995.JPG
[2011/04/07 20:54:54 | 000,785,204 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4994.JPG
[2011/04/07 14:34:23 | 027,430,069 | ---- | M] () -- C:\Documents and Settings\Nelvin\My Documents\Marine Scout Snipers School - Surviving The Cut - S01E06 par.flv
[2011/04/02 10:57:48 | 000,000,766 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Globe Broadband.lnk
[2011/03/29 16:00:00 | 000,080,896 | ---- | M] () -- C:\windows\System32\ff_vfw.dll
[2011/03/29 16:00:00 | 000,000,038 | ---- | M] () -- C:\windows\avisplitter.ini
[2011/03/29 12:49:58 | 000,000,025 | ---- | M] () -- C:\windows\popcinfot.dat
[2011/03/25 03:35:18 | 000,243,200 | ---- | M] () -- C:\windows\System32\xvidvfw.dll
[2011/03/25 03:28:12 | 000,631,808 | ---- | M] () -- C:\windows\System32\xvidcore.dll

========== Files Created - No Company Name ==========

[2011/04/20 09:50:36 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/04/20 09:50:36 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/04/20 09:50:36 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe
[2011/04/20 09:50:36 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/04/20 09:50:36 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/04/19 07:17:30 | 000,017,661 | ---- | C] () -- C:\Documents and Settings\Nelvin\Desktop\avptool_sysinfo.zip
[2011/04/19 04:23:24 | 000,002,225 | ---- | C] () -- C:\Documents and Settings\Nelvin\Start Menu\Programs\Startup\setup_9.0.0.722_18.04.2011_10-51.lnk
[2011/04/17 21:08:19 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Nelvin\Desktop\gmer.exe
[2011/04/17 18:55:37 | 000,000,519 | ---- | C] () -- C:\Documents and Settings\Nelvin\Desktop\Shortcut to ePSXe.lnk
[2011/04/17 07:33:48 | 000,000,574 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\METAL GEAR SOLID2 SUBSTANCE.lnk
[2011/04/13 18:26:54 | 000,000,081 | ---- | C] () -- C:\windows\System32\asr_lkxlkt
[2011/04/08 16:05:44 | 000,436,831 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\2012.gif
[2011/04/08 15:11:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 22:07:05 | 015,741,952 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\tifa vs loz.avi
[2011/04/07 21:55:32 | 000,001,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Snagit 9 Editor.lnk
[2011/04/07 21:55:32 | 000,001,760 | ---- | C] () -- C:\Documents and Settings\Nelvin\Application Data\Microsoft\Internet Explorer\Quick Launch\Snagit 9.lnk
[2011/04/07 21:55:32 | 000,001,742 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Snagit 9.lnk
[2011/04/07 20:55:36 | 000,824,661 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4997.JPG
[2011/04/07 20:55:24 | 000,809,515 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4996.JPG
[2011/04/07 20:55:02 | 000,800,615 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4995.JPG
[2011/04/07 20:54:54 | 000,785,204 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\SAM_4994.JPG
[2011/04/07 14:28:17 | 027,430,069 | ---- | C] () -- C:\Documents and Settings\Nelvin\My Documents\Marine Scout Snipers School - Surviving The Cut - S01E06 par.flv
[2011/04/05 22:51:16 | 000,000,038 | ---- | C] () -- C:\windows\avisplitter.ini
[2011/04/05 22:50:36 | 000,631,808 | ---- | C] () -- C:\windows\System32\xvidcore.dll
[2011/04/05 22:50:35 | 000,243,200 | ---- | C] () -- C:\windows\System32\xvidvfw.dll
[2011/04/05 22:50:27 | 000,080,896 | ---- | C] () -- C:\windows\System32\ff_vfw.dll
[2011/04/02 10:57:48 | 000,000,766 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Globe Broadband.lnk
[2011/02/19 15:53:19 | 000,210,456 | ---- | C] () -- C:\windows\System32\IVIresizeW7.dll
[2011/02/19 15:53:19 | 000,206,360 | ---- | C] () -- C:\windows\System32\IVIresizeA6.dll
[2011/02/19 15:53:19 | 000,198,168 | ---- | C] () -- C:\windows\System32\IVIresizeP6.dll
[2011/02/19 15:53:19 | 000,198,168 | ---- | C] () -- C:\windows\System32\IVIresizeM6.dll
[2011/02/19 15:53:19 | 000,194,072 | ---- | C] () -- C:\windows\System32\IVIresizePX.dll
[2011/02/19 15:53:19 | 000,026,136 | ---- | C] () -- C:\windows\System32\IVIresize.dll
[2011/02/06 08:56:40 | 000,000,532 | ---- | C] () -- C:\windows\eReg.dat
[2011/01/17 18:55:30 | 000,000,004 | ---- | C] () -- C:\windows\msoffice.ini
[2010/10/04 22:53:34 | 000,000,056 | -H-- | C] () -- C:\windows\System32\ezsidmv.dat
[2010/09/09 22:54:15 | 000,175,616 | ---- | C] () -- C:\windows\System32\unrar.dll
[2010/08/21 19:25:21 | 000,000,025 | ---- | C] () -- C:\windows\popcinfot.dat
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\windows\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,630,208 | ---- | C] () -- C:\windows\System32\nwiz.exe
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\windows\System32\nview.dll
[2008/05/16 14:01:00 | 001,339,392 | ---- | C] () -- C:\windows\System32\nvdspsch.exe
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\windows\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\windows\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,442,368 | ---- | C] () -- C:\windows\System32\nvappbar.exe
[2008/05/16 14:01:00 | 000,425,984 | ---- | C] () -- C:\windows\System32\keystone.exe
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\windows\System32\nvnt4cpl.dll
[2004/08/04 07:07:22 | 000,001,788 | ---- | C] () -- C:\windows\System32\Dcache.bin
[2004/08/02 20:20:40 | 000,004,569 | ---- | C] () -- C:\windows\System32\secupd.dat
[2001/08/23 20:00:00 | 013,107,200 | ---- | C] () -- C:\windows\System32\oembios.bin
[2001/08/23 20:00:00 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2001/08/23 20:00:00 | 000,311,604 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2001/08/23 20:00:00 | 000,272,128 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2001/08/23 20:00:00 | 000,218,003 | ---- | C] () -- C:\windows\System32\dssec.dat
[2001/08/23 20:00:00 | 000,046,258 | ---- | C] () -- C:\windows\System32\mib.bin
[2001/08/23 20:00:00 | 000,039,992 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2001/08/23 20:00:00 | 000,028,626 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2001/08/23 20:00:00 | 000,004,463 | ---- | C] () -- C:\windows\System32\oembios.dat
[2001/08/23 20:00:00 | 000,000,741 | ---- | C] () -- C:\windows\System32\noise.dat
[2001/01/01 08:25:18 | 000,004,161 | ---- | C] () -- C:\windows\ODBCINST.INI
[2001/01/01 08:22:17 | 000,322,728 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2001/01/01 08:06:06 | 000,065,536 | ---- | C] () -- C:\Documents and Settings\Nelvin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2001/01/01 07:52:38 | 000,000,335 | ---- | C] () -- C:\windows\nsreg.dat
[2001/01/01 00:50:58 | 000,049,152 | ---- | C] () -- C:\windows\System32\ChCfg.exe
[2001/01/01 00:50:16 | 000,147,456 | ---- | C] () -- C:\windows\System32\RtlCPAPI.dll
[2001/01/01 00:45:34 | 000,002,048 | --S- | C] () -- C:\windows\bootstat.dat
[2001/01/01 00:37:09 | 000,021,640 | ---- | C] () -- C:\windows\System32\emptyregdb.dat

========== LOP Check ==========

[2011/03/15 01:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2001/01/01 01:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2011/02/19 15:53:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2011/01/10 21:38:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/08/14 09:17:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2011/04/07 21:55:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2011/04/07 22:13:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/02/19 15:55:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2010/09/17 00:10:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/08/17 18:45:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YSFLIGHT.COM
[2010/08/17 09:36:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Gearbox Software
[2011/02/19 22:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Kalydo
[2010/10/12 17:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\LimeWire
[2010/09/26 03:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\PhotoScape
[2011/02/18 18:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Rovio
[2011/01/13 20:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Toolbar4
[2011/02/19 16:02:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Ulead Systems
[2011/04/11 14:57:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\Unity
[2011/04/20 21:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nelvin\Application Data\uTorrent

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF

< End of report >

Edited by ironvin, 20 April 2011 - 07:45 AM.

#19
Salagubang

Posted 20 April 2011 - 07:43 AM

Trusted Helper

Malware Removal
3,891 posts

Is your AV still flagging the files?

#20
ironvin

Posted 20 April 2011 - 08:23 AM

Member

Topic Starter
Member
15 posts

well, actually my av detects these viruses randomly at times.
yesterday i got a dozen of warnings, the same virus but this time i got a new one, its win32:malware-gen.
today, so far, no warnings yet.

I'll do that online scan later tonight...

What is my status of my PC according to the logs that i gave you?
Am I clean?

#21
Salagubang

Posted 20 April 2011 - 08:32 AM

Trusted Helper

Malware Removal
3,891 posts

I don't see malicious file on piggy back with the svchosts although it is not an indication that the machine just yet until complete the full scan. Don't miss the logs.

#22
ironvin

Posted 20 April 2011 - 12:34 PM

Member

Topic Starter
Member
15 posts

Finished ESET Online scan.
no threats detected
here my log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=b41f44fe346018429475da8d01142ad1
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-20 01:44:03
# local_time=2011-04-20 09:44:03 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 324979604 324979604 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=16894
# found=0
# cleaned=0
# scan_time=1407
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=b41f44fe346018429475da8d01142ad1
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-20 06:30:09
# local_time=2011-04-21 02:30:09 (+0800, China Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 325036224 325036224 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67562
# found=0
# cleaned=0
# scan_time=5140

What do you think?

Edited by ironvin, 20 April 2011 - 12:35 PM.

#23
ironvin

Posted 20 April 2011 - 12:34 PM

Member

Topic Starter
Member
15 posts

Sorry double post, Lagged.

Edited by ironvin, 20 April 2011 - 12:35 PM.

#24
Salagubang

Posted 20 April 2011 - 04:21 PM

Trusted Helper

Malware Removal
3,891 posts

Hi Ironvin,

Give the machine a days run and see if anything comes back.

#25
ironvin

Posted 20 April 2011 - 05:58 PM

Member

Topic Starter
Member
15 posts

Alright.
Thanks so much for your help!
MABUHAY KA!

#26
ironvin

Posted 20 April 2011 - 07:30 PM

Member

Topic Starter
Member
15 posts

Hi, got a virus warning today..
its in C:\WINDOWS\system32\hnm5.exe
process is C:\windows\system32\svchost.exe
virus name is win32:Malware-gen.

#27
Salagubang

Posted 20 April 2011 - 08:19 PM

Trusted Helper

Malware Removal
3,891 posts

Download Dr.Web CureIt to the desktop.

Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the Complete Scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look and see if you can click the following icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer to allow files that were in use to be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

#28
Salagubang

Posted 01 May 2011 - 05:05 AM

Trusted Helper

Malware Removal
3,891 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.