Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Explorer.exe application error 0xc000005


  • This topic is locked This topic is locked

#1
Irishka

Irishka

    Member

  • Member
  • PipPip
  • 11 posts
Hi, I'm experiencing the same problem as described in this topic: http://www.geekstogo...00005-resolved/, i.e. I got the above error (explorer application error 0xc000005) right after logging. It came up twice and then I got nothing, no desktop icons, no toolbar at the bottom, the windows button didn't work. The only thing I could do was access some programs through the task manager.

This happened after I installed FlashGet3 from flashget.com, then found out it was in Chinese and it added a few lines in Chinese to the right click context menu, which was quite annoying. When trying to uninstall it through "Add/remove program" tool I got an advice from avast! to run the removal process in sandbox. But for some reason it wouldn't remove it properly in sandbox mode, so I ran the removal process again in a regular mode. This didn't help to remove Chinese lines from right click menu though, so then I downloaded and installed some other software (sorry, not able to check the name of it as I have no access to the desktop) supposed to help me editing it, but it didn't really work. And then the higher described error 0xc000005 came.

OTL log attached below. Let me know if you need any additional logs or other data. Thanks for any help!

P.S. I've noticed from other threads that you often need an OTL log after scanning under All Users, so I attached it below, too, just in case.

Attached Files


Edited by Irishka, 11 September 2011 - 09:46 AM.

  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

Are you able to boot into normal mode?

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select No.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

  • 0

#3
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Render, thanks for your quick reply!

Yes, I'm able to boot into normal mode, though it doesn't make any big change, the same error pops up, no desktop etc.

aswMBR log attached as you asked.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-11 20:03:36
-----------------------------
20:03:36.468 OS Version: Windows 5.1.2600 Service Pack 3
20:03:36.468 Number of processors: 2 586 0x1C02
20:03:36.468 ComputerName: HPLAPTOP UserName: Irina
20:03:38.125 Initialize success
20:03:39.187 AVAST engine defs: 11090401
20:04:17.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:04:17.781 Disk 0 Vendor: SAMSUNG_HS082HB NL100-04 Size: 76319MB BusType: 3
20:04:19.812 Disk 0 MBR read successfully
20:04:19.812 Disk 0 MBR scan
20:04:19.812 Disk 0 unknown MBR code
20:04:19.828 Disk 0 scanning sectors +156280320
20:04:20.046 Disk 0 scanning C:\WINDOWS\system32\drivers
20:04:27.640 Service scanning
20:04:28.875 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:04:29.593 Modules scanning
20:04:37.921 Disk 0 trace - called modules:
20:04:37.937 ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x86b817ac]<<
20:04:37.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b25ab8]
20:04:37.953 3 CLASSPNP.SYS[f7628fd7] -> nt!IofCallDriver -> [0x86bcabb0]
20:04:37.953 5 SahdIa32.sys[f7649939] -> nt!IofCallDriver -> \Device\0000006e[0x86b16f18]
20:04:37.953 7 ACPI.sys[f73b0620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86bcc940]
20:04:38.375 AVAST engine scan C:\WINDOWS
20:04:50.453 AVAST engine scan C:\WINDOWS\system32
20:06:32.031 AVAST engine scan C:\WINDOWS\system32\drivers
20:06:44.265 AVAST engine scan C:\Documents and Settings\Irina
20:32:41.984 AVAST engine scan C:\Documents and Settings\All Users
20:34:31.359 Scan finished successfully
21:50:55.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Irina\My Documents\MBR.dat"
21:50:55.828 The log file has been saved successfully to "C:\Documents and Settings\Irina\My Documents\aswMBR.txt"
21:51:26.156 Disk 0 MBR has been saved successfully to "D:\MBR.dat"
21:51:26.171 The log file has been saved successfully to "D:\aswMBR.txt"

Attached Files


  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

So you are using some working computer to download our tools and running them using Task Manager with New Task... option?

Please follow these steps all in normal mode:

Step 1

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 2

Posted Image OTL Custom Scan

  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt in Notepad window.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

When completed the above, please post back the following in the order asked for:
  • RK report
  • OTL scan log

  • 0

#5
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

So you are using some working computer to download our tools and running them using Task Manager with New Task... option?

Exactly, at least I didn't find a better way.

RKreport[1]

RogueKiller V5.3.4 [08/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Irina [Admin rights]
Mode: Scan -- Date : 09/11/2011 22:33:02

Bad processes: 0

Registry Entries: 4
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (111.1.32.18:80) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


OTL

OTL logfile created on: 11.09.2011 22:39:42 - Run 1
OTL by OldTimer - Version 3.2.27.0 Folder = D:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1015,23 Mb Total Physical Memory | 713,25 Mb Available Physical Memory | 70,26% Memory free
2,38 Gb Paging File | 2,19 Gb Available in Paging File | 91,95% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 33,69 Gb Free Space | 45,21% Space Free | Partition Type: NTFS
Drive D: | 3,72 Gb Total Space | 1,45 Gb Free Space | 39,01% Space Free | Partition Type: FAT32
Drive F: | 1,92 Gb Total Space | 0,93 Gb Free Space | 48,62% Space Free | Partition Type: FAT

Computer Name: HPLAPTOP | User Name: Irina | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.09.11 18:17:22 | 000,581,120 | ---- | M] (OldTimer Tools) -- D:\OTL.exe
PRC - [2011.07.04 13:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
PRC - [2008.09.11 13:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe
PRC - [2005.04.02 03:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe


========== Modules (No Company Name) ==========

MOD - [2011.09.04 18:47:40 | 001,384,960 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11090401\algo.dll
MOD - [2011.09.03 10:46:00 | 000,208,544 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11090401\aswRep.dll
MOD - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
MOD - [2001.10.28 14:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011.07.04 13:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010.08.17 19:11:10 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)
SRV - [2008.09.11 13:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2005.04.02 03:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe -- (StarWindService)


========== Driver Services (SafeList) ==========

DRV - [2011.07.04 13:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011.07.04 13:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011.07.04 13:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011.07.04 13:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011.07.04 13:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011.07.04 13:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011.07.04 13:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010.09.06 10:03:47 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2010.09.06 10:03:44 | 000,053,312 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pssdklbf.sys -- (PSSDKLBF)
DRV - [2009.09.14 15:54:54 | 000,639,224 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.02.10 08:37:29 | 001,294,200 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008.12.11 03:00:00 | 000,025,584 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SaibVd32.sys -- (SaibVd32)
DRV - [2008.12.11 03:00:00 | 000,021,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SahdIa32.sys -- (SahdIa32)
DRV - [2008.12.11 03:00:00 | 000,015,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SaibIa32.sys -- (SaibIa32)
DRV - [2008.12.03 04:57:32 | 000,112,128 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008.09.25 00:09:40 | 000,103,792 | ---- | M] (Sonic Solutions) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\syscow32x.sys -- (SysCow)
DRV - [2008.09.11 13:00:10 | 001,390,323 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008.08.20 00:16:00 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008.08.20 00:16:00 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008.07.24 19:37:00 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008.06.27 12:02:00 | 000,289,024 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008.05.30 13:46:00 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008.03.10 20:18:00 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008.02.04 19:57:00 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 111.1.32.18:80

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.fr/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.19
FF - prefs.js..extensions.enabledItems: [email protected]:3.9.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:0.4.4
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}:1.1
FF - prefs.js..network.proxy.ftp: "127.0.0.1"
FF - prefs.js..network.proxy.ftp_port: 8118
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.09.04 16:32:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.09.04 16:32:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2010.01.03 23:40:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Extensions
[2011.09.04 16:36:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions
[2010.09.17 15:25:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.09.04 16:35:41 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.09.02 22:29:54 | 000,000,000 | ---D | M] (flashget3 Extension) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}
[2011.09.04 16:35:47 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2011.09.04 16:36:04 | 000,000,000 | ---D | M] (Dictionnaire franГ§ais В«Classique &amp;amp; RГ©forme 1990В») -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2010.09.17 15:25:43 | 000,000,000 | ---D | M] (Russian spellchecking dictionary) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2010.09.09 11:00:36 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\searchplugins\weathercom.xml
[2011.09.04 16:32:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\IRINA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BHBZ2HNR.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2010.01.04 17:42:53 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011.08.31 01:21:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.08.30 23:09:39 | 000,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2011.08.30 22:29:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.08.30 23:09:39 | 000,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2011.08.30 23:09:39 | 000,001,154 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2011.08.30 23:09:39 | 000,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2011.08.30 23:09:39 | 000,000,956 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: ([2008.04.15 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {42ad2408-abba-2408-1972-4706560e817b} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (FlashGetBHO) - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - File not found
O3 - HKLM\..\Toolbar: (no name) - {42ad2408-baaa-408d-b13e-4706560e817b} - No CLSID value found.
O3 - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\..\Toolbar\WebBrowser: (no name) - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - No CLSID value found.
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [PlusService] C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe (Yuna Software)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-942709197-2532909501-4163392431-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Download all by FlashGet3 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm ()
O8 - Extra context menu item: Download by FlashGet3 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm ()
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Загрузить всё при помощи FlashGet 3.5 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm ()
O8 - Extra context menu item: Загрузить при помощи FlashGet 3.5 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm ()
O8 - Extra context menu item: 使用快车3下载 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm ()
O8 - Extra context menu item: 使用快车3下载全部链接 - C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : &Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DDB83303-8C83-4FF4-8825-458C17CFF5BC}: NameServer = 82.179.113.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Irina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Irina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll ()
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011.09.11 22:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\RK_Quarantine
[2011.09.07 19:23:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011.09.04 15:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Start Menu\Programs\FlashGet 3.5
[2011.09.04 15:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\FlashGet Network
[2011.09.04 15:24:30 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011.09.03 15:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\Filosofiya
[2011.09.02 22:29:55 | 000,000,000 | --SD | C] -- C:\Downloads
[2011.09.02 22:28:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\BITS
[2011.09.02 22:28:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\FlashGet
[2011.09.02 22:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\FlashGetBHO
[2011.08.31 23:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\UNSORTED
[2011.08.31 23:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\PT
[2011.08.31 23:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\My Documents\151___08
[2011.08.31 23:13:51 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011.08.31 23:12:41 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011.08.31 23:12:38 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011.08.31 23:08:52 | 000,000,000 | ---D | C] -- C:\Program Files\Yuna Software
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.09.11 22:42:14 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\BackOnTrack Instant Restore Idle.job
[2011.09.11 22:30:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.09.11 22:30:56 | 1064,620,032 | -HS- | M] () -- C:\hiberfil.sys
[2011.09.11 21:50:55 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Irina\My Documents\MBR.dat
[2011.09.11 20:00:41 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011.09.11 18:04:13 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.09.04 20:37:22 | 000,539,278 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\f8c19cbdb5d7.mp3
[2011.09.04 20:24:47 | 006,155,016 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\00b23d2791b9.mp3
[2011.09.04 17:20:43 | 000,000,292 | ---- | M] () -- C:\WINDOWS\System32\secustat.dat
[2011.09.04 16:32:44 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Irina\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011.09.04 16:29:29 | 000,000,598 | ---- | M] () -- C:\WINDOWS\System32\secushr.dat
[2011.09.03 14:59:25 | 000,577,964 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn_econ2.zip
[2011.09.03 14:58:25 | 000,266,949 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn12.zip
[2011.09.03 14:58:19 | 000,122,760 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\mfua2008.zip
[2011.09.03 14:58:08 | 000,213,547 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn10.zip
[2011.09.03 14:05:06 | 009,073,023 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\V.rar
[2011.09.02 22:29:25 | 000,000,025 | ---- | M] () -- C:\WINDOWS\libem.INI
[2011.09.01 03:20:58 | 000,086,528 | ---- | M] () -- C:\Documents and Settings\Irina\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.08.31 23:13:51 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011.08.31 21:57:26 | 1047,265,707 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\Kokowaeaeh1.zip
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.09.11 21:50:55 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Irina\My Documents\MBR.dat
[2011.09.11 20:01:35 | 1064,620,032 | -HS- | C] () -- C:\hiberfil.sys
[2011.09.04 20:37:21 | 000,539,278 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\f8c19cbdb5d7.mp3
[2011.09.04 20:23:49 | 006,155,016 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\00b23d2791b9.mp3
[2011.09.04 16:52:51 | 1047,265,707 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\Kokowaeaeh1.zip
[2011.09.04 16:32:43 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011.09.03 14:59:24 | 000,577,964 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn_econ2.zip
[2011.09.03 14:58:24 | 000,266,949 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn12.zip
[2011.09.03 14:58:18 | 000,122,760 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\mfua2008.zip
[2011.09.03 14:58:07 | 000,213,547 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn10.zip
[2011.09.03 14:04:29 | 009,073,023 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\V.rar
[2011.09.02 23:21:10 | 000,000,292 | ---- | C] () -- C:\WINDOWS\System32\secustat.dat
[2011.09.02 23:09:13 | 000,000,598 | ---- | C] () -- C:\WINDOWS\System32\secushr.dat
[2011.09.02 22:29:25 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI
[2010.08.17 19:19:38 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.08.01 00:04:28 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010.04.26 19:37:08 | 000,013,418 | ---- | C] () -- C:\WINDOWS\System32\ridocprint.dll
[2010.04.26 19:32:08 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2010.01.03 23:40:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009.12.29 14:28:32 | 000,139,808 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009.08.11 00:23:12 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\Irina\Application Data\wklnhst.dat
[2009.08.04 21:52:16 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009.07.25 19:45:17 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.07.25 19:45:05 | 000,568,850 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009.07.25 19:45:03 | 000,856,064 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.07.25 19:45:03 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.07.25 19:45:00 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.07.25 19:44:52 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.07.25 19:19:47 | 000,086,528 | ---- | C] () -- C:\Documents and Settings\Irina\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.10 08:47:56 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009.02.10 08:24:06 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008.09.02 05:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008.06.24 19:48:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008.06.24 19:48:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008.06.24 19:26:44 | 000,479,838 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008.06.24 19:26:44 | 000,085,346 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008.06.24 19:16:28 | 000,266,760 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008.06.24 19:12:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008.06.24 19:10:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008.04.15 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008.04.15 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008.04.15 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008.04.15 06:00:00 | 000,068,608 | ---- | C] () -- C:\WINDOWS\System32\digest.dll
[2008.04.15 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008.04.15 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008.04.15 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008.04.15 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008.04.15 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007.01.26 02:04:12 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2007.01.26 02:04:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2002.05.28 23:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002.05.28 23:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002.03.21 12:39:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2001.11.14 11:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MigoMobile
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TMP
[2010.07.28 14:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2010.07.31 23:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009.12.29 14:36:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009.08.24 12:21:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010.01.17 07:03:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2011.01.09 03:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2011.01.09 04:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin
[2010.04.26 19:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riman
[2009.12.31 01:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2010.11.11 03:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009.07.24 21:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\MigoMobile
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\TMP
[2010.07.28 14:04:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\ACD Systems
[2010.01.04 00:20:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\AnvSoft
[2011.09.04 17:20:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\BITS
[2010.04.26 19:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Canon
[2010.02.06 23:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\DC++
[2011.09.02 22:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\FlashGet
[2011.09.02 22:28:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\FlashGetBHO
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\MigoMobile
[2010.09.28 14:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Notepad++
[2009.12.31 01:34:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Publish Providers
[2010.01.03 20:23:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Sony
[2009.08.11 00:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Template
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\TMP
[2010.10.20 22:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\uTorrent
[2011.09.11 22:42:14 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\BackOnTrack Instant Restore Idle.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009.07.24 15:05:51 | 000,259,584 | RHS- | M] (Microsoft Corporation) -- C:\BCDEDIT.EXE
[2009.07.24 15:05:51 | 000,102,400 | RHS- | M] (Microsoft Corporation) -- C:\bootsect.exe


< MD5 for: EXPLORER.EXE >
[2008.04.15 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008.04.15 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008.04.15 06:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008.04.15 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009.03.08 12:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009.03.08 12:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011.08.31 01:21:42 | 000,715,144 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011.08.31 01:21:39 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2009.12.21 15:19:18 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009.03.08 12:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009.03.08 12:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C895616B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86

< End of report >
  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts

Exactly, at least I didn't find a better way.

I can tell you are an experienced user.:)

Do you recognize this file: Kokowaeaeh1.zip? It's located on your Desktop.

On your working computer download this fix.txt file to your USB memory stick: Attached File  fix.txt   1.08KB   98 downloads

We need to run an OTL Fix

  • On infected computer run OTL.exe.
  • Click on Run Fix button.
  • Message window will open saying No fix has been provided!
  • Click on OK button to load previously downloaded fix.txt file.
  • Navigate to that file (probably is located on your USB memory stick) and click on Open button.
  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#7
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

I can tell you are an experienced user.:)

Thanks (now I feel like my next move will be something stupid lol)! Actually we're sort of colleagues I guess, but I'm still a beginner and have many things to learn.

Do you recognize this file: Kokowaeaeh1.zip? It's located on your Desktop.

Yes, it's a part of a movie. If I remember it right one of the files inside the archive was corrupted, but I don't think it was due to any malware.

A report will open. Copy and Paste that report in your next reply.

Here it is:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download all by FlashGet3\ deleted successfully.
C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download by FlashGet3\ deleted successfully.
C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Загрузить всё при помощи FlashGet 3.5\ deleted successfully.
File C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Загрузить при помощи FlashGet 3.5\ deleted successfully.
File C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载\ deleted successfully.
File C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetUrl.htm not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\使用快车3下载全部链接\ deleted successfully.
File C:\Documents and Settings\Irina\Application Data\FlashGetBHO\GetAllUrl.htm not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
D:\cmd.bat deleted successfully.
D:\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 321 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 321 bytes

User: Irina
->Temp folder emptied: 72788842 bytes
->Temporary Internet Files folder emptied: 50929034 bytes
->Java cache emptied: 25877215 bytes
->FireFox cache emptied: 86909217 bytes
->Flash cache emptied: 104723 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 1441792 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29153975 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 503390 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 48355276 bytes

Total Files Cleaned = 302,00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Irina
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.27.0 log created on 09122011_003244

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_324.dat not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

New OTL log:

OTL logfile created on: 12.09.2011 0:43:15 - Run 2
OTL by OldTimer - Version 3.2.27.0 Folder = D:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

1015,23 Mb Total Physical Memory | 690,51 Mb Available Physical Memory | 68,02% Memory free
2,38 Gb Paging File | 2,18 Gb Available in Paging File | 91,49% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 33,84 Gb Free Space | 45,41% Space Free | Partition Type: NTFS
Drive D: | 3,72 Gb Total Space | 1,45 Gb Free Space | 39,01% Space Free | Partition Type: FAT32
Drive F: | 1,92 Gb Total Space | 0,93 Gb Free Space | 48,62% Space Free | Partition Type: FAT

Computer Name: HPLAPTOP | User Name: Irina | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011.09.11 18:17:22 | 000,581,120 | ---- | M] (OldTimer Tools) -- D:\OTL.exe
PRC - [2011.07.04 13:43:51 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
PRC - [2008.09.11 13:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\WDM\stacsv.exe
PRC - [2005.04.02 03:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe


========== Modules (No Company Name) ==========

MOD - [2011.09.04 18:47:40 | 001,384,960 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11090401\algo.dll
MOD - [2011.09.03 10:46:00 | 000,208,544 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11090401\aswRep.dll
MOD - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
MOD - [2001.10.28 14:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011.07.04 13:43:51 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010.08.17 19:11:10 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008.12.12 00:46:22 | 000,125,424 | ---- | M] () [Auto | Running] -- C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe -- (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269)
SRV - [2008.09.11 13:00:10 | 000,237,650 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2005.04.02 03:51:48 | 000,217,600 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe -- (StarWindService)


========== Driver Services (SafeList) ==========

DRV - [2011.07.04 13:36:43 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011.07.04 13:36:32 | 000,309,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011.07.04 13:35:23 | 000,043,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011.07.04 13:35:12 | 000,102,616 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011.07.04 13:32:32 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011.07.04 13:32:13 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011.07.04 13:32:12 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010.09.06 10:03:47 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2010.09.06 10:03:44 | 000,053,312 | ---- | M] (microOLAP Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pssdklbf.sys -- (PSSDKLBF)
DRV - [2009.09.14 15:54:54 | 000,639,224 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009.02.10 08:37:29 | 001,294,200 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008.12.11 03:00:00 | 000,025,584 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SaibVd32.sys -- (SaibVd32)
DRV - [2008.12.11 03:00:00 | 000,021,488 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SahdIa32.sys -- (SahdIa32)
DRV - [2008.12.11 03:00:00 | 000,015,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SaibIa32.sys -- (SaibIa32)
DRV - [2008.12.03 04:57:32 | 000,112,128 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AESTAud.sys -- (AESTAud)
DRV - [2008.09.25 00:09:40 | 000,103,792 | ---- | M] (Sonic Solutions) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\syscow32x.sys -- (SysCow)
DRV - [2008.09.11 13:00:10 | 001,390,323 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008.08.20 00:16:00 | 000,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008.08.20 00:16:00 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008.07.24 19:37:00 | 000,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008.06.27 12:02:00 | 000,289,024 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008.05.30 13:46:00 | 000,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008.03.10 20:18:00 | 000,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008.02.04 19:57:00 | 000,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...avilion&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 111.1.32.18:80

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.fr/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.19
FF - prefs.js..extensions.enabledItems: [email protected]:3.9.2
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:0.4.4
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}:1.1
FF - prefs.js..network.proxy.ftp: "127.0.0.1"
FF - prefs.js..network.proxy.ftp_port: 8118
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118
FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.09.04 16:32:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.09.04 16:32:19 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2010.01.03 23:40:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Extensions
[2011.09.04 16:36:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions
[2010.09.17 15:25:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.09.04 16:35:41 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.09.02 22:29:54 | 000,000,000 | ---D | M] (flashget3 Extension) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}
[2011.09.04 16:35:47 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2011.09.04 16:36:04 | 000,000,000 | ---D | M] (Dictionnaire franГ§ais В«Classique &amp;amp; RГ©forme 1990В») -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2010.09.17 15:25:43 | 000,000,000 | ---D | M] (Russian spellchecking dictionary) -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\extensions\[email protected]
[2010.09.09 11:00:36 | 000,001,632 | ---- | M] () -- C:\Documents and Settings\Irina\Application Data\Mozilla\Firefox\Profiles\bhbz2hnr.default\searchplugins\weathercom.xml
[2011.09.04 16:32:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\IRINA\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\BHBZ2HNR.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2010.01.04 17:42:53 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011.08.31 01:21:40 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011.08.30 23:09:39 | 000,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2011.08.30 22:29:49 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011.08.30 23:09:39 | 000,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2011.08.30 23:09:39 | 000,001,154 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2011.08.30 23:09:39 | 000,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2011.08.30 23:09:39 | 000,000,956 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: ([2011.09.12 00:33:02 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {42ad2408-abba-2408-1972-4706560e817b} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {42ad2408-baaa-408d-b13e-4706560e817b} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - No CLSID value found.
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HP Mobile Broadband] c:\SWsetup\HPQWWAN\HPMobileBroadband.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IDTSysTrayApp] C:\WINDOWS\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [PlusService] C:\Program Files\Yuna Software\Messenger Plus!\PlusService.exe (Yuna Software)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : &Отправить в OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - Reg Error: Value error. File not found
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DDB83303-8C83-4FF4-8825-458C17CFF5BC}: NameServer = 82.179.113.2
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Irina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Irina\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll ()
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.09.11 22:33:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\RK_Quarantine
[2011.09.07 19:23:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011.09.04 15:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Start Menu\Programs\FlashGet 3.5
[2011.09.04 15:56:29 | 000,000,000 | ---D | C] -- C:\Program Files\FlashGet Network
[2011.09.04 15:24:30 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011.09.03 15:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\Filosofiya
[2011.09.02 22:29:55 | 000,000,000 | --SD | C] -- C:\Downloads
[2011.09.02 22:28:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\BITS
[2011.09.02 22:28:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\FlashGet
[2011.09.02 22:28:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Application Data\FlashGetBHO
[2011.08.31 23:53:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\UNSORTED
[2011.08.31 23:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\Desktop\PT
[2011.08.31 23:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Irina\My Documents\151___08
[2011.08.31 23:13:51 | 000,441,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011.08.31 23:12:41 | 000,040,112 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011.08.31 23:12:38 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011.08.31 23:08:52 | 000,000,000 | ---D | C] -- C:\Program Files\Yuna Software

========== Files - Modified Within 30 Days ==========

[2011.09.12 00:48:02 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\BackOnTrack Instant Restore Idle.job
[2011.09.12 00:37:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011.09.12 00:37:41 | 1064,620,032 | -HS- | M] () -- C:\hiberfil.sys
[2011.09.12 00:33:02 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011.09.11 21:50:55 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Irina\My Documents\MBR.dat
[2011.09.11 20:00:41 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2011.09.11 18:04:13 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011.09.04 20:37:22 | 000,539,278 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\f8c19cbdb5d7.mp3
[2011.09.04 20:24:47 | 006,155,016 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\00b23d2791b9.mp3
[2011.09.04 17:20:43 | 000,000,292 | ---- | M] () -- C:\WINDOWS\System32\secustat.dat
[2011.09.04 16:32:44 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Irina\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011.09.04 16:29:29 | 000,000,598 | ---- | M] () -- C:\WINDOWS\System32\secushr.dat
[2011.09.03 14:59:25 | 000,577,964 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn_econ2.zip
[2011.09.03 14:58:25 | 000,266,949 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn12.zip
[2011.09.03 14:58:19 | 000,122,760 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\mfua2008.zip
[2011.09.03 14:58:08 | 000,213,547 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\fn10.zip
[2011.09.03 14:05:06 | 009,073,023 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\V.rar
[2011.09.02 22:29:25 | 000,000,025 | ---- | M] () -- C:\WINDOWS\libem.INI
[2011.09.01 03:20:58 | 000,086,528 | ---- | M] () -- C:\Documents and Settings\Irina\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.08.31 23:13:51 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011.08.31 21:57:26 | 1047,265,707 | ---- | M] () -- C:\Documents and Settings\Irina\Desktop\Kokowaeaeh1.zip

========== Files Created - No Company Name ==========

[2011.09.11 21:50:55 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Irina\My Documents\MBR.dat
[2011.09.11 20:01:35 | 1064,620,032 | -HS- | C] () -- C:\hiberfil.sys
[2011.09.04 20:37:21 | 000,539,278 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\f8c19cbdb5d7.mp3
[2011.09.04 20:23:49 | 006,155,016 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\00b23d2791b9.mp3
[2011.09.04 16:52:51 | 1047,265,707 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\Kokowaeaeh1.zip
[2011.09.04 16:32:43 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011.09.03 14:59:24 | 000,577,964 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn_econ2.zip
[2011.09.03 14:58:24 | 000,266,949 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn12.zip
[2011.09.03 14:58:18 | 000,122,760 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\mfua2008.zip
[2011.09.03 14:58:07 | 000,213,547 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\fn10.zip
[2011.09.03 14:04:29 | 009,073,023 | ---- | C] () -- C:\Documents and Settings\Irina\Desktop\V.rar
[2011.09.02 23:21:10 | 000,000,292 | ---- | C] () -- C:\WINDOWS\System32\secustat.dat
[2011.09.02 23:09:13 | 000,000,598 | ---- | C] () -- C:\WINDOWS\System32\secushr.dat
[2011.09.02 22:29:25 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI
[2010.08.17 19:19:38 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010.08.01 00:04:28 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010.04.26 19:37:08 | 000,013,418 | ---- | C] () -- C:\WINDOWS\System32\ridocprint.dll
[2010.04.26 19:32:08 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2010.01.03 23:40:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009.12.29 14:28:32 | 000,139,808 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009.08.11 00:23:12 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\Irina\Application Data\wklnhst.dat
[2009.08.04 21:52:16 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2009.07.25 19:45:17 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009.07.25 19:45:05 | 000,568,850 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009.07.25 19:45:03 | 000,856,064 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009.07.25 19:45:03 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009.07.25 19:45:00 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009.07.25 19:44:52 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009.07.25 19:19:47 | 000,086,528 | ---- | C] () -- C:\Documents and Settings\Irina\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009.02.10 08:47:56 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009.02.10 08:24:06 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008.09.02 05:25:26 | 002,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008.06.24 19:48:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008.06.24 19:48:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008.06.24 19:26:44 | 000,479,838 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008.06.24 19:26:44 | 000,085,346 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008.06.24 19:16:28 | 000,266,760 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008.06.24 19:12:12 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008.06.24 19:10:36 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008.04.15 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008.04.15 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008.04.15 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008.04.15 06:00:00 | 000,068,608 | ---- | C] () -- C:\WINDOWS\System32\digest.dll
[2008.04.15 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008.04.15 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008.04.15 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008.04.15 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008.04.15 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007.01.26 02:04:12 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2007.01.26 02:04:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2002.05.28 23:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002.05.28 23:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002.03.21 12:39:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2001.11.14 11:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010.07.28 14:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2010.07.31 23:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009.12.29 14:36:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009.08.24 12:21:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010.01.17 07:03:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2011.01.09 03:40:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2011.01.09 04:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle VideoSpin
[2010.04.26 19:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riman
[2009.12.31 01:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2010.11.11 03:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009.07.24 21:43:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010.07.28 14:04:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\ACD Systems
[2010.01.04 00:20:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\AnvSoft
[2011.09.04 17:20:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\BITS
[2010.04.26 19:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Canon
[2010.02.06 23:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\DC++
[2011.09.02 22:28:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\FlashGet
[2011.09.12 00:32:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\FlashGetBHO
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\MigoMobile
[2010.09.28 14:25:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Notepad++
[2009.12.31 01:34:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Publish Providers
[2010.01.03 20:23:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Sony
[2009.08.11 00:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\Template
[2009.07.24 21:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\TMP
[2010.10.20 22:30:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Irina\Application Data\uTorrent
[2011.09.12 00:48:02 | 000,000,282 | ---- | M] () -- C:\WINDOWS\Tasks\BackOnTrack Instant Restore Idle.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C895616B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:63238B95
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86

< End of report >


The error still persists :unsure:

Edited by Irishka, 11 September 2011 - 04:17 PM.

  • 0

#8
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK. We will try with system restore now. Please follow the steps below:

  • Open Task Manager and click on New Task...
  • In Create New Task window type in the following:
    %SystemRoot%\system32\restore\rstrui.exe
  • Click OK button.
  • System Restore window should open.
  • On the Welcome to System Restore page, click to select the Restore my computer to an earlier time option, and then click Next.
    Posted Image
  • On the Select a Restore Point page, click the most recent system restore point in the On this list, click a restore point list, and then click Next.
    Note: A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
    Posted Image
  • On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
  • Tell me the results.

  • 0

#9
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Render! My apologizes for the late reply.

The problem is that the infected computer is an HP laptop that's got preinstalled recovery software (Roxio) due to which Windows System Restore was disabled. However I tried the steps you described, there were indeed 2 restore points, but they both were created (by OTL I suppose) after the computer got infected. I restored from the most recent point, but nothing changed. Then I ran that Roxio restore application, there were 2 points (Aug 31 and Sep 7, maybe there were older points, too, I didn't check). I selected Aug 31, because on Sep 7 the computer was already infected, but again, the restoration didn't bring any progress.
  • 0

#10
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

OK. Please try now this:
  • Open Task Manager and click on New Task... button.
  • In textbox type: explorer.exe and press Enter.
  • Tell me what happens.
Also please tell me if you have your original Windows CD/DVD available.
  • 0

Advertisements


#11
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Tell me what happens.

The same error message pops up twice.

Also please tell me if you have your original Windows CD/DVD available.

Unfortunately I don't, it was a preinstalled Home Edition.
  • 0

#12
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please follow these steps below. Save tools and logs on your USB memory stick and run them with Task Manager and New Task...

Step 1

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • Defogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running Defogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Step 2

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select No.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

  • 0

#13
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Render, just wanted to say that I got problemes with my other computer, too. Not sure if it was connected to the issue with the laptop or not, anyway I managed to fix it and with try to follow tonight the last procedure you mentioned. Sorry for the delay, and thanks once again for your help. I'll post new aswMBR.exe log in the evening.
  • 0

#14
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Sorry. It was my mistake. When we will fix that one we will check also this "clean" computer. On your "clean" computer please install this programme:
  • Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

  • 0

#15
Irishka

Irishka

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi,

Sorry. It was my mistake. When we will fix that one we will check also this "clean" computer. On your "clean" computer please install this programme:

  • Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

Done! Thanks.

When running Defogger, after "Click Yes to continue" I get "Unable to open file" error on both computers. No log was generated. Should I still proceed to the step 2?

Edited by Irishka, 16 September 2011 - 03:20 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP