Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Found malware files in AppData\Local\Temp directories


  • This topic is locked This topic is locked

#1
JJJJJJJ

JJJJJJJ

    New Member

  • Member
  • Pip
  • 1 posts
Hello forums,

(otl at bottom)

I appear to have a Google redirect virus as many others do, however it does not appear to be solved. I have attempted to use rkill, but it only temporarily masked the effects. It is now useless and it appears to be a result of files in AppData\Local\Temp\RarSFX0 (as well as RarSFX1-16) due to processes that run every time I run rkill. Also, multiple popups say 'installation failed' when I run rkill, which are InfDefaultInstall.exe processes.

AppData\Local\Temp is currently inaccessible, citing damaged\corrupted files, but each subfolder is accessible.

I've tried scans, including 'right-click' scans on the folders i've found, but none have found anything. TDSSkiller finds nothing.

Each RarSFX folder contains the same files. I have put them one per line, putting comments next to each one I can.

----START RarSFX16 file list------------------------


folder h:
explorer.exe and iexplore.exe both 2kb
folder nird:
iexplore.exe 31kb
folder procs:
explorer.exe, iexplore.com, and iexplore.exe all 250kb and proc.dat 11kb. explorer.exe and iexplore.exe have the 'admin shield' in the lower right corner.
proc.dat has a list of exe files which all appear to be virus removal and 'safely named' virus removal programs. (I'm assuming that another program in the folder kills all of these.)

Main folder:
extra.dat 1kb: contains only one line: -k * and -preg"\\(.{3,}(tssd|shdw|sysguard|sftav|onin|uqiw|lanw)|\d{3,}|.p|us.rinit|svch[^o]st|sv[^c]host|.|defender|winlogon32|smss32|restore|antispy(shield|)|antivirus plus.*|.*\.tmp)\.exe$|%temp:\=\\%\\.*|\\Locals~1\\temp\\.*|\\Local\\temp\\.*|\\Local Settings\\application data\\.*|.:\\System Volume Information\\.*|.:\\NetworkControl\\.*|(%CommonProgramFiles:\=\\%|%Userprofile:\=\\%|%Appdata:\=\\%|%AllUsersProfile::=\\%|%ProgramFiles:\=\\%|.:|\\.{6}~\d)\\[^\\]*$"

nircmd.chm 38kb: appears to be a legitimate help file for nircmd
nircmd.exe 31kb
nircmdc.exe 30kb
pev.exe 250kb: has 'admin shield'
prep.bat 1kb: creates a (presumably fake) rkill.log
proxycheck.exe 296kb

rkill.bat 5kb: kills various processes, runs others from folder, lots of 'WAIT' commands, which show that it does nothing useful. It uses the exact lines that the real rkill does to appear as if it worked.

rkill.reg 4kb: messes with various areas, including Windows NT image file execution options and other windows folders/Policies

s.inf: MOST WORRYING FILE: deletes registry entries for: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. This inf deletes Image file execution options for: iexplore,chrome,safari,avast,nircmd,cmd,find,Combofix,regedit,mbam,rundll32,taskmgr
and others.

sed.exe 97kb
serv.dat 1kb: contains 16(short)lines. Each line has one word, such as Follower, smmservice, ITgrdEngine, WDefend, noterminate etc.

sh.vbs 1kb: appears to mess with svchost and/or impersonate it
swreg.exe 158kb
userinit.exe 31kb
winlogon.exe 31kb
wl.txt 1kb: contains a list of exe's with pathnames. All in Windows folder, most system32.

--------------END RarSFX16 file list-----------------

I can tell that these are malicious files. They edit the registry, run copies of MS programs, combat virus removal software, and mess with image file execution options.
I would like to know:

1. What is the extent of the effects of these files? What have they done to my system?
2. How do I remove/stop them?
3. What can I do to fix my registry?

Please advise.

Thanks,

John


EDIT:
OTL LOG:
OTL logfile created on: 7/14/2011 1:36:27 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Users\Jonathan\Downloads
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 1.84 Gb Available Physical Memory | 52.73% Memory free
6.98 Gb Paging File | 4.82 Gb Available in Paging File | 69.12% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 291.43 Gb Total Space | 95.95 Gb Free Space | 32.93% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: JPC | User Name: Jonathan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/14 13:35:57 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Jonathan\Downloads\OTL.exe
PRC - [2011/07/06 20:15:12 | 000,399,536 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2011/06/01 22:55:31 | 000,271,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2011/04/05 11:50:44 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/02/25 22:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/17 22:33:29 | 000,031,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\prevhost.exe
PRC - [2010/12/11 07:39:56 | 001,282,048 | ---- | M] (Dexpot GbR) -- C:\Program Files\Dexpot\dexpot.exe
PRC - [2010/10/10 13:08:06 | 000,116,736 | ---- | M] () -- C:\Program Files\Rainmeter\Rainmeter.exe
PRC - [2010/06/28 21:57:58 | 004,247,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/03/10 08:33:36 | 000,147,392 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\Core\mchost.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/09/02 13:58:52 | 000,495,616 | ---- | M] () -- C:\Program Files\RocketDock\RocketDock.exe


========== Modules (SafeList) ==========

MOD - [2011/07/14 13:35:57 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Users\Jonathan\Downloads\OTL.exe
MOD - [2010/08/20 22:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/14 09:06:51 | 000,411,432 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/05/25 17:29:48 | 001,336,712 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/02/27 08:38:15 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/01 16:12:34 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/11 01:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)


========== Driver Services (SafeList) ==========

DRV - [2011/04/14 14:01:38 | 000,387,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/04/14 14:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/04/14 14:01:38 | 000,165,032 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/04/14 14:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/04/14 14:01:38 | 000,095,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/04/14 14:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/04/14 14:01:38 | 000,064,584 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/04/14 14:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/04/14 14:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/01/06 20:37:00 | 000,044,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/07/13 16:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 15:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009/07/13 15:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2009/06/25 16:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 16:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 16:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/05/08 17:54:44 | 000,007,168 | ---- | M] (MPlayer <http://svn.mplayerhq.../dhahelperwin/>) [Kernel | System | Running] -- C:\Windows\System32\drivers\dhahelper.sys -- (DhaHelper)
DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/10/10 18:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/06/02 14:59:42 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)
DRV - [2007/03/05 11:45:04 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2004/02/04 10:27:56 | 000,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tiehdusb.sys -- (TIEHDUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CD 0E 15 3D 32 8B CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3975c680-be94-11dd-ad8b-0800200c9a66}:0.2.5
FF - prefs.js..extensions.enabledItems: [email protected]:0.1

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@clickteam.com/Vitalize!,version=4.0.0.0: C:\Windows\system32\Clickteam\Vitalize\v4\npcnc32.dll (Clickteam)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Jonathan\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Jonathan\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Jonathan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/03 08:13:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/29 06:51:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/07/06 20:15:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 5.0\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2011/06/29 06:51:23 | 000,000,000 | ---D | M]

[2011/03/12 21:16:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonathan\AppData\Roaming\Mozilla\Extensions
[2010/01/02 11:58:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonathan\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/06/04 14:12:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\n4xxzs3k.default\extensions
[2011/03/12 21:17:07 | 000,000,000 | ---D | M] (SafeSearch Off) -- C:\Users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\n4xxzs3k.default\extensions\{3975c680-be94-11dd-ad8b-0800200c9a66}
[2011/06/03 07:57:06 | 000,000,000 | ---D | M] (Firesheep) -- C:\Users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\n4xxzs3k.default\extensions\[email protected]
[2011/06/21 19:51:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/21 19:51:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/06/21 19:51:42 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/06/10 14:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110518173742.dll (McAfee, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKCU..\Run: [Dexpot] C:\Program Files\Dexpot\dexpot.exe (Dexpot GbR)
O4 - HKCU..\Run: [DW6] File not found
O4 - HKCU..\Run: [JP595IR86O] File not found
O4 - HKCU..\Run: [NtWqIVLZEWZU] File not found
O4 - HKCU..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [winupdater] File not found
O4 - HKCU..\Run: [ZapIcones] File not found
O4 - Startup: C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Impulse Now.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe (Stardock Corporation)
O4 - Startup: C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrayBlank - Shortcut.lnk = C:\Users\Jonathan\My Documents\Downloads\TrayBlank\TrayBlank.exe (Goat 1000)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} http://www.clickteam...e4/vitalize.cab (Vitalize Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.94.156.1 68.94.157.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /m \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/14 10:32:55 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/07/14 10:32:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/07/14 10:32:36 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/07/14 03:20:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/07/11 16:58:52 | 001,436,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jonathan\Desktop\TDSSKiller.exe
[2011/07/06 21:06:52 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\Desktop\New folder
[2011/07/06 14:56:57 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced RAR Password Recovery
[2011/07/06 14:56:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced RAR Password Recovery
[2011/07/06 14:56:56 | 000,000,000 | ---D | C] -- C:\Program Files\ElcomSoft
[2011/07/06 14:43:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RAR Password Cracker
[2011/07/05 20:52:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Swiff Player
[2011/07/05 20:52:03 | 000,000,000 | ---D | C] -- C:\Program Files\GlobFX
[2011/06/29 20:47:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2011/06/24 17:03:08 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Half-Life
[2011/06/24 16:54:02 | 000,000,000 | ---D | C] -- C:\Games
[2011/06/22 20:55:56 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\workspace
[2011/06/21 20:03:38 | 000,000,000 | ---D | C] -- C:\jdk1.6.0_26
[2011/06/21 19:59:55 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\Desktop\javas
[2011/06/21 19:53:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/21 19:52:06 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
[2011/06/15 08:21:03 | 000,000,000 | ---D | C] -- C:\Users\Jonathan\Documents\My Digital Editions
[2011/06/15 08:19:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe
[2011/04/02 10:25:15 | 000,832,350 | ---- | C] ( ) -- C:\Windows\System32\msvfd2.exe
[2 C:\Users\Jonathan\Desktop\*.tmp files -> C:\Users\Jonathan\Desktop\*.tmp -> ]
[1 C:\Users\Jonathan\Documents\*.tmp files -> C:\Users\Jonathan\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/14 13:00:00 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-533166117-1440106126-1257509153-1001UA.job
[2011/07/14 12:59:26 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/14 10:33:02 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/14 10:33:02 | 000,013,440 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/14 10:32:37 | 000,000,854 | ---- | M] () -- C:\Users\Jonathan\Desktop\NTREGOPT.lnk
[2011/07/14 10:32:37 | 000,000,835 | ---- | M] () -- C:\Users\Jonathan\Desktop\ERUNT.lnk
[2011/07/14 10:16:32 | 000,048,904 | ---- | M] () -- C:\Users\Jonathan\Desktop\autoruns.chm
[2011/07/14 10:16:26 | 000,731,000 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Jonathan\Desktop\autoruns.exe
[2011/07/14 10:16:26 | 000,595,320 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Jonathan\Desktop\autorunsc.exe
[2011/07/14 09:14:20 | 001,436,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jonathan\Desktop\TDSSKiller.exe
[2011/07/14 09:01:58 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/14 09:00:00 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-533166117-1440106126-1257509153-1001Core.job
[2011/07/14 03:17:52 | 000,000,316 | -HS- | M] () -- C:\Windows\tasks\FFUO.job
[2011/07/14 03:17:39 | 000,366,480 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/07/14 03:17:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/14 03:16:55 | 2810,740,736 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/13 08:40:25 | 000,619,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/13 08:40:25 | 000,105,646 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/12 20:29:20 | 001,641,888 | ---- | M] () -- C:\Users\Jonathan\Desktop\minecraft (2).jar
[2011/07/10 17:30:49 | 001,594,716 | ---- | M] () -- C:\Users\Jonathan\Desktop\minecraft.jar
[2011/07/10 17:23:43 | 001,573,351 | ---- | M] () -- C:\Users\Jonathan\Desktop\aaaaaaa.jar
[2011/07/06 20:57:14 | 000,002,056 | ---- | M] () -- C:\Users\Jonathan\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2011/07/06 16:11:03 | 000,000,947 | ---- | M] () -- C:\Windows\ARPR.INI
[2011/07/06 16:08:09 | 000,000,496 | ---- | M] () -- C:\Users\Jonathan\Desktop\~arpr.arr
[2011/07/05 09:44:19 | 000,042,251 | ---- | M] () -- C:\Users\Jonathan\Desktop\javaapp.jar
[2011/07/05 09:42:50 | 000,003,096 | ---- | M] () -- C:\Users\Jonathan\Desktop\test.html
[2011/06/25 21:18:01 | 002,001,625 | ---- | M] () -- C:\Users\Jonathan\Desktop\skategame.gif
[2011/06/25 10:09:26 | 000,001,543 | ---- | M] () -- C:\Users\Jonathan\Desktop\Half-Life.lnk
[2011/06/25 09:22:25 | 000,089,088 | ---- | M] () -- C:\Users\Jonathan\Desktop\mbr.exe
[2011/06/25 08:30:16 | 000,302,592 | ---- | M] () -- C:\Users\Jonathan\Desktop\fdg7jz1x.exe
[2011/06/24 17:03:08 | 000,001,591 | ---- | M] () -- C:\Users\Jonathan\Desktop\Opposing Force.lnk
[2011/06/24 17:03:08 | 000,001,587 | ---- | M] () -- C:\Users\Jonathan\Desktop\Blue Shift.lnk
[2011/06/24 17:03:08 | 000,001,583 | ---- | M] () -- C:\Users\Jonathan\Desktop\Decay.lnk
[2011/06/19 19:03:30 | 451,568,455 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2 C:\Users\Jonathan\Desktop\*.tmp files -> C:\Users\Jonathan\Desktop\*.tmp -> ]
[1 C:\Users\Jonathan\Documents\*.tmp files -> C:\Users\Jonathan\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/14 10:32:37 | 000,000,854 | ---- | C] () -- C:\Users\Jonathan\Desktop\NTREGOPT.lnk
[2011/07/14 10:32:37 | 000,000,835 | ---- | C] () -- C:\Users\Jonathan\Desktop\ERUNT.lnk
[2011/07/13 08:25:09 | 001,641,888 | ---- | C] () -- C:\Users\Jonathan\Desktop\minecraft (2).jar
[2011/07/10 22:30:23 | 001,594,716 | ---- | C] () -- C:\Users\Jonathan\Desktop\minecraft.jar
[2011/07/10 17:24:58 | 001,573,351 | ---- | C] () -- C:\Users\Jonathan\Desktop\aaaaaaa.jar
[2011/07/06 20:15:25 | 000,002,004 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2011/07/06 15:04:10 | 000,000,496 | ---- | C] () -- C:\Users\Jonathan\Desktop\~arpr.arr
[2011/07/06 14:57:00 | 000,000,947 | ---- | C] () -- C:\Windows\ARPR.INI
[2011/07/05 09:48:19 | 000,016,355 | ---- | C] () -- C:\Users\Jonathan\Desktop\OmegleSpyPanel.java
[2011/07/05 09:45:04 | 000,004,290 | ---- | C] () -- C:\Users\Jonathan\Desktop\Common.java
[2011/07/05 09:42:48 | 000,003,096 | ---- | C] () -- C:\Users\Jonathan\Desktop\test.html
[2011/06/25 21:18:01 | 002,001,625 | ---- | C] () -- C:\Users\Jonathan\Desktop\skategame.gif
[2011/06/25 09:22:28 | 000,089,088 | ---- | C] () -- C:\Users\Jonathan\Desktop\mbr.exe
[2011/06/25 08:30:19 | 000,302,592 | ---- | C] () -- C:\Users\Jonathan\Desktop\fdg7jz1x.exe
[2011/06/24 17:03:08 | 000,001,591 | ---- | C] () -- C:\Users\Jonathan\Desktop\Opposing Force.lnk
[2011/06/24 17:03:08 | 000,001,587 | ---- | C] () -- C:\Users\Jonathan\Desktop\Blue Shift.lnk
[2011/06/24 17:03:08 | 000,001,583 | ---- | C] () -- C:\Users\Jonathan\Desktop\Decay.lnk
[2011/06/24 17:03:08 | 000,001,543 | ---- | C] () -- C:\Users\Jonathan\Desktop\Half-Life.lnk
[2011/06/15 08:19:10 | 000,002,096 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Digital Editions.lnk
[2011/02/27 12:15:33 | 000,000,000 | ---- | C] () -- C:\Users\Jonathan\AppData\Roaming\FileOut.cns
[2011/02/27 12:15:33 | 000,000,000 | ---- | C] () -- C:\Users\Jonathan\AppData\Roaming\FileIn.cns
[2011/01/18 11:13:16 | 000,000,128 | ---- | C] () -- C:\Users\Jonathan\AppData\Roaming\e5f3722a.dat
[2010/12/11 21:15:50 | 000,129,536 | RHS- | C] () -- C:\Windows\System32\weruiy.dll
[2010/11/30 18:17:39 | 000,001,890 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/11/30 18:17:39 | 000,000,088 | RHS- | C] () -- C:\ProgramData\B10645DD0E.sys
[2010/11/04 19:52:16 | 000,082,432 | ---- | C] () -- C:\Windows\System32\ewdll32.dll
[2010/11/04 19:52:16 | 000,077,824 | ---- | C] () -- C:\Windows\System32\helpmsg32.dll
[2010/11/04 19:52:16 | 000,045,056 | ---- | C] () -- C:\Windows\System32\avi_util32.dll
[2010/11/04 19:52:15 | 000,000,375 | ---- | C] () -- C:\Windows\dst_suns.ini
[2010/11/04 19:47:57 | 000,000,275 | ---- | C] () -- C:\Windows\TheMatrix.ini
[2010/05/21 17:00:48 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/04/06 16:34:03 | 000,028,437 | ---- | C] () -- C:\Users\Jonathan\AppData\Roaming\UserTile.png
[2010/01/10 18:00:10 | 000,007,646 | ---- | C] () -- C:\Users\Jonathan\AppData\Local\Resmon.ResmonCfg
[2010/01/02 11:36:02 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010/01/01 16:08:16 | 000,000,209 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2010/01/01 15:51:16 | 000,015,360 | ---- | C] () -- C:\Users\Jonathan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/01 15:46:12 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2010/01/01 15:17:26 | 000,000,076 | RHS- | C] () -- C:\Windows\CT4CET.bin
[2009/09/11 17:58:52 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/13 21:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 21:33:53 | 000,366,480 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 19:05:48 | 000,619,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 19:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 19:05:48 | 000,105,646 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 19:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 19:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 19:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 16:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/13 16:15:05 | 000,668,160 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2009/06/10 14:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2005/02/05 12:46:00 | 000,004,608 | ---- | C] () -- C:\Windows\fgexec.dll

========== LOP Check ==========

[2011/07/14 13:32:07 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\.minecraft
[2010/03/29 15:46:15 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\App Launcher Gadget
[2011/06/04 14:11:14 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Barnes & Noble
[2011/06/07 21:02:10 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\bsnes
[2010/04/05 19:03:46 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Clickteam
[2010/07/10 10:14:23 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/10/22 18:21:15 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\DarkWave Studio
[2011/07/14 03:15:45 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Dexpot
[2010/02/17 09:56:58 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\GetRightToGo
[2010/11/04 19:45:24 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Laconic Software
[2010/07/14 08:09:28 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Leawo
[2010/11/15 07:02:38 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Notepad++
[2010/04/18 10:45:45 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\OverDrive
[2011/01/15 09:44:33 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Rainmeter
[2011/05/09 21:45:09 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\RenPy
[2011/05/04 17:24:51 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Rovio
[2010/04/11 07:10:15 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\SPORE
[2011/05/19 21:49:32 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Stardock
[2011/04/02 11:42:14 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\SynthMaker
[2010/12/07 23:31:59 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\System
[2011/01/02 17:47:44 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\TeamViewer
[2010/01/02 11:58:15 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Thunderbird
[2010/03/24 19:52:07 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\tmp
[2011/01/30 21:39:45 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\treasurechest
[2010/12/28 11:16:22 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\Unity
[2011/07/06 14:56:22 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\uTorrent
[2011/04/02 07:55:49 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\VBA-M
[2011/05/23 05:46:02 | 000,000,000 | RHSD | M] -- C:\Users\Jonathan\AppData\Roaming\Windupdt
[2011/02/22 17:52:25 | 000,000,000 | -HSD | M] -- C:\Users\Jonathan\AppData\Roaming\wyUpdate AU
[2011/04/29 16:15:27 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\XnView
[2010/08/27 19:49:43 | 000,000,000 | ---D | M] -- C:\Users\Jonathan\AppData\Roaming\ZapWallPaper
[2011/07/14 03:17:52 | 000,000,316 | -HS- | M] () -- C:\Windows\Tasks\FFUO.job
[2011/07/10 14:17:40 | 000,032,622 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Edited by JJJJJJJ, 14 July 2011 - 02:44 PM.

  • 0

Advertisements


#2
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Hello and :)

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


RKill does NOT remove malware from your system. It simply disables it temporarily so that you can run other cleaning tools. If you run RKill and reboot your system without removing the malware, the malware is still running on your system.

Can you please post the results of TDSSKiller since you have already run it? It would be helpful for me to see the full report.



Scan With RootKitUnHooker

  • Please choose one link and download Rootkit Unhooker and save it to your desktop.

    Link 1
    Link 2
    Link 3
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:/ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

  • 0

#3
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP