Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

OpenCloud infection, browser hijacking


  • This topic is locked This topic is locked

#1
drewdreworld

drewdreworld

    Member

  • Member
  • PipPip
  • 90 posts
Hello, I appreciate all help, thank you much in advance =)

OpenCloud was the obvious thing, insisting that it was an antivirus program when it was clearly not. I think I mostly cleaned it up but I have noticed more stuff since it appeared so who knows. Malwarebytes will not scan all the way thru. Something ends it abrupbtly everytime. Same goes for VIPRERESCUE (although it had a log produced from it) and SuperAntiSpyware.

A lot of times I can't open my Task Manager. When I can, looking at the processes there's always a weird process with a random string of numbers and a colon between ("8974571243:7838972.exe") and I can never end that process. Also svchost.exe will randomly take up all of my computer's resources.

I was unable to post this post from the infected computer, although able to access your forums from it. It kept saying "connection timed out" everytime I tried to post it. Posting from an uninfected (I hope?) laptop.

I attempted to fix the hijacking earlier using the http://www.geekstogo...ogle-redirects/
removal topic. After following those directions, I followed these:
http://www.geekstogo...t-run-tutorial/

I have the GooredFix log from those attempted fixes. I also have the ExeHelper log. I also have the VIPRERescue log. I can post any of those that you wish to see. Here's my OTL log

OTL logfile created on: 10/3/2011 2:08:17 AM - Run 5
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.54% Memory free
2.10 Gb Paging File | 1.75 Gb Available in Paging File | 83.16% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 185.45 Gb Total Space | 11.27 Gb Free Space | 6.08% Space Free | Partition Type: NTFS
Drive D: | 4.45 Gb Total Space | 0.62 Gb Free Space | 13.89% Space Free | Partition Type: FAT32
Drive F: | 2.68 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DREW | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3972701242:3311613203.exe
PRC - [2011/10/03 01:25:44 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2011/09/29 15:15:28 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/03 07:49:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
PRC - [2010/08/11 22:10:51 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\CSHelper.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/12/20 18:12:36 | 000,131,072 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
PRC - [2003/08/27 10:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () -- C:\WINDOWS\system32\ScsiAccess.EXE


========== Modules (No Company Name) ==========

MOD - [2011/09/29 15:15:28 | 001,015,256 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2011/09/13 14:16:19 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2010/08/11 22:10:51 | 000,266,240 | ---- | M] () -- C:\WINDOWS\system32\CSHelper.exe
MOD - [2009/09/04 23:15:06 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/06/20 13:46:57 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 13:46:57 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () -- C:\WINDOWS\system32\ScsiAccess.EXE


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/08/03 07:49:00 | 002,255,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)
SRV - [2011/03/16 10:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/08/16 23:38:13 | 001,029,456 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/08/11 22:10:51 | 000,266,240 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\CSHelper.exe -- (CSHelper)
SRV - [2007/11/06 16:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2003/08/27 10:27:44 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2003/02/04 08:22:30 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ScsiAccess.EXE -- (ScsiAccess)


========== Driver Services (SafeList) ==========

DRV - [2011/07/22 12:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Owner\Local Settings\temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 17:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Owner\Local Settings\temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010/11/09 14:56:12 | 000,098,392 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2009/09/09 22:51:44 | 000,007,040 | R--- | M] (Elitegroup Computer Systems) [Kernel | On_Demand | Stopped] -- F:\ECSIoDriver.sys -- (ECSIoDriver_1_1_0_0)
DRV - [2009/07/03 10:49:08 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2008/04/13 15:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\changer.sys -- (Changer)
DRV - [2008/04/13 15:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/13 14:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/11/06 16:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2007/01/11 17:09:13 | 000,016,224 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2005/11/10 10:54:56 | 000,402,944 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BLKWGU.sys -- (BLKWGU(Belkin)) Belkin Wireless G USB Network Adapter(Belkin)
DRV - [2005/08/17 15:43:20 | 000,330,240 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zd1211bu.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/06/08 19:44:20 | 000,020,608 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\brgsp50.sys -- (BRGSp50)
DRV - [2005/04/13 13:34:02 | 000,414,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2005/04/13 13:32:42 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2004/10/25 14:40:58 | 000,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZDPSp50.sys -- (ZDPSp50)
DRV - [2004/05/06 14:19:30 | 000,083,181 | ---- | M] (McAfee Security) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\MpFirewall.sys -- (MPFIREWL)
DRV - [2003/12/12 12:06:44 | 000,538,236 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/12/12 10:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxsens.sys -- (ALCXSENS)
DRV - [2003/12/06 06:13:42 | 000,429,440 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/12/05 20:25:54 | 000,011,392 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2003/12/02 22:23:20 | 000,142,336 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/11/10 11:24:24 | 000,039,532 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2003/11/07 23:00:00 | 000,035,328 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2003/09/02 17:51:00 | 000,021,120 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/07/18 20:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2003/07/02 15:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/07/02 03:33:00 | 000,652,497 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/04/22 01:18:00 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2003/01/09 01:12:46 | 000,068,672 | R--- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\2wirepcp.sys -- (2WIREPCP)
DRV - [2002/10/04 21:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\r8139n51.sys -- (rtl8139)
DRV - [2001/06/04 17:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 58 5E 83 D0 31 41 CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.071303000004
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {77868449-f49d-d6ec-3145-e651161b1ff8}:1.4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@artistscope.com/ArtistScope DRM plugin 1,version=1.1.0.0: C:\Program Files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll (ArtistScope)
FF - HKLM\Software\MozillaPlugins\@artistscope.com/ArtistScope plugin 42,version=4.2.0.0: C:\Program Files\Mozilla Firefox\plugins\npArtistScope42.dll (ArtistScope)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2240: C:\Program Files\Real\RealOne Player\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.2298: C:\Program Files\Real\RealOne Player\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1348: C:\Program Files\Real\RealOne Player\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@artistscope.com/ArtistScope DRM plugin 1,version=1.1.0.0: C:\Program Files\Mozilla Firefox\plugins\npArtistScopeDRM11.dll (ArtistScope)
FF - HKCU\Software\MozillaPlugins\@artistscope.com/ArtistScope plugin 42,version=4.2.0.0: C:\Program Files\Mozilla Firefox\plugins\npArtistScope42.dll (ArtistScope)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/29 15:15:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/29 15:15:32 | 000,000,000 | ---D | M]

[2010/02/06 05:17:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/02/06 05:17:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\[email protected]
[2011/10/02 17:45:50 | 000,000,000 | -H-D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\extensions
[2010/03/09 08:28:11 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/10/02 22:58:00 | 000,000,000 | ---D | M] (Temp Installer) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\extensions\{77868449-f49d-d6ec-3145-e651161b1ff8}
[2010/04/03 21:38:27 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/04/03 19:07:47 | 000,000,000 | ---D | M] (Move Media Player) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\extensions\[email protected]
[2011/10/02 17:45:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/27 16:27:40 | 000,000,000 | ---D | M] (Keynote Connector Extension) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/07/27 16:27:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]\components
[2010/03/08 07:15:15 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/01/15 13:53:03 | 000,616,448 | ---- | M] (ArtistScope) -- C:\Program Files\mozilla firefox\plugins\npArtistScope42.dll
[2009/02/02 01:06:56 | 000,211,456 | ---- | M] (ArtistScope) -- C:\Program Files\mozilla firefox\plugins\npArtistScopeDRM11.dll
[2008/01/23 02:20:30 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\mozilla firefox\plugins\npBitCometAgent.dll
[2006/05/16 17:54:15 | 000,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2011/10/03 01:10:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (adfabonppr Object) - {26D02F99-AE5B-4533-AD67-E23B4B20D60D} - C:\WINDOWS\$BLSTUN$\qgnnv.dll ()
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (brumabonpgrm Object) - {795F4311-02C9-4B7B-A9BB-78D4FE68A98D} - C:\WINDOWS\$BLSTUN$\lmatn.dll ()
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (HP View) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKCU..\Run: [Aim6] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML File not found
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL File not found
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} https://www-secure.s...sa/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...DC_2.2.1.87.cab (Reg Error: Key error.)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ontent/opuc.cab (Office Update Installation Engine)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1316033239015 (WUWebControl Class)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} http://housecall65.t...ivex/hcImpl.cab (Housecall ActiveX 6.5)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} http://www.fastacces...bls_speedop.cab (BLS_SpeedOP.systemcheck)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://www.windowsec...scan/axscan.cab (ASquaredScanForm Element)
O16 - DPF: {C2CFE28D-36EA-4E38-A9E6-092E3C95070C} https://www.info1onl...asp?LOSType=151 (I1POINT.BorrowerList)
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} http://www.stopzilla...ller/dwnldr.cab (Downloader Class)
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_06)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_01)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} https://www-secure.s...sa/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1967BB82-6900-4069-8EC3-9CFC77204697}: DhcpNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4745F59C-FBD1-4DED-BD5E-E2E880676947}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{862A2386-C4D8-4F0A-A9DA-897045846BFD}: DhcpNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A2DD7C30-9B36-4063-A810-761B60749F00}: DhcpNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/20 21:16:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/13 06:34:17 | 000,000,051 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4b20b23c-a1fb-11d9-9532-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{4b20b23c-a1fb-11d9-9532-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4b20b23c-a1fb-11d9-9532-806d6172696f}\Shell\AutoRun\command - "" = F:\InstallCD.exe -- [2010/07/05 23:44:36 | 003,460,608 | R--- | M] (EliteGroup Computer Systems)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\InstallCD.exe -- [2010/07/05 23:44:36 | 003,460,608 | R--- | M] (EliteGroup Computer Systems)
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/10/03 02:00:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2011/10/03 02:00:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/10/03 01:37:21 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/10/03 01:37:21 | 000,027,984 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\sbbd.exe
[2011/10/03 01:37:07 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2011/10/03 01:25:45 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/10/03 01:20:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\tdsskiller
[2011/10/03 01:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\GooredFix Backups
[2011/10/03 01:18:29 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Owner\Desktop\GooredFix.exe
[2011/10/03 01:09:53 | 000,522,752 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTM.exe
[2011/10/03 01:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\erunt
[2011/10/03 00:44:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2011/10/03 00:43:24 | 000,462,336 | ---- | C] (Daniel Pistelli) -- C:\Documents and Settings\All Users\Application Data\PbOVsnXuaBESx.exe
[2011/10/03 00:42:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\$BLSTUN$
[2011/10/02 23:05:57 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.51.2.1300.exe
[2011/10/02 22:56:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Minecraft levels
[2011/10/02 22:56:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Hogcraft
[2011/10/02 18:35:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Babylon
[2011/10/02 18:35:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Babylon
[2011/10/02 18:33:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2011/10/02 18:29:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/10/02 08:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/10/02 08:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/02 08:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Babylon
[2011/10/02 08:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Babylon
[2011/09/27 04:56:05 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/09/27 04:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/09/24 03:49:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\NVIDIA
[2011/09/22 14:44:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/09/16 02:47:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Steam
[2011/09/16 02:47:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Steam
[2011/09/16 02:47:53 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
[2011/09/12 15:37:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/09/12 15:37:04 | 000,000,000 | ---D | C] -- C:\CanonMP
[2011/09/08 15:25:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Files to Transfer
[2010/08/11 22:09:56 | 001,715,904 | ---- | C] (ArtistScope) -- C:\Program Files\Synapse_FX_42.exe
[2006/01/08 17:42:31 | 004,057,200 | ---- | C] (Microsoft Corporation) -- C:\Program Files\wmfdist.exe
[2005/11/28 18:07:13 | 034,412,848 | ---- | C] (Apple Computer, Inc. ) -- C:\Program Files\iTunesSetup.exe
[2005/08/10 10:56:15 | 015,591,520 | ---- | C] (ACD Systems Ltd. ) -- C:\Program Files\acdsee.exe
[2005/07/04 23:47:38 | 002,439,339 | ---- | C] (SoftTech InterCorp ) -- C:\Program Files\imgconvert.exe

========== Files - Modified Within 30 Days ==========

[2011/10/03 01:59:58 | 017,234,520 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SAS_062896F3.COM
[2011/10/03 01:57:41 | 000,000,430 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2011/10/03 01:57:39 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/03 01:57:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3972701242
[2011/10/03 01:57:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/03 01:57:20 | 1609,945,088 | -HS- | M] () -- C:\hiberfil.sys
[2011/10/03 01:56:02 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\19511.sys
[2011/10/03 01:55:00 | 000,462,336 | ---- | M] (Daniel Pistelli) -- C:\Documents and Settings\All Users\Application Data\PbOVsnXuaBESx.exe
[2011/10/03 01:49:46 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/03 01:37:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\SBRC.dat
[2011/10/03 01:36:45 | 101,949,440 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\VIPRERescue10640.exe
[2011/10/03 01:34:08 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/10/03 01:33:17 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/03 01:32:45 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.51.2.1300.exe
[2011/10/03 01:31:13 | 000,294,400 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\exeHelper.com
[2011/10/03 01:25:44 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/10/03 01:19:50 | 001,529,134 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/10/03 01:18:27 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Owner\Desktop\GooredFix.exe
[2011/10/03 01:10:47 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/10/03 01:09:52 | 000,522,752 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTM.exe
[2011/10/03 01:08:48 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\erunt.zip
[2011/10/03 01:04:06 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\60222.sys
[2011/10/03 00:44:01 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\79010.sys
[2011/09/29 17:08:57 | 000,000,686 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\World of Warcraft.lnk
[2011/09/27 18:10:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/09/27 07:13:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/22 14:43:15 | 000,280,276 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/09/22 14:43:15 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/09/22 14:43:10 | 000,280,276 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/09/21 21:48:39 | 001,483,725 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemCheck_enUS.exe
[2011/09/16 03:21:12 | 000,000,213 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Portal.url
[2011/09/16 02:48:00 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2011/09/16 02:47:29 | 001,606,656 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SteamInstall.msi

========== Files Created - No Company Name ==========

[2011/10/03 01:59:41 | 017,234,520 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SAS_062896F3.COM
[2011/10/03 01:56:02 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\19511.sys
[2011/10/03 01:37:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBRC.dat
[2011/10/03 01:35:31 | 101,949,440 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\VIPRERescue10640.exe
[2011/10/03 01:31:29 | 000,294,400 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\exeHelper.com
[2011/10/03 01:19:48 | 001,529,134 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2011/10/03 01:15:33 | 1609,945,088 | -HS- | C] () -- C:\hiberfil.sys
[2011/10/03 01:08:53 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\erunt.zip
[2011/10/03 01:04:06 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\60222.sys
[2011/10/03 00:44:01 | 000,120,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\79010.sys
[2011/10/02 23:06:29 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/10/02 19:46:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3972701242
[2011/09/22 14:42:24 | 002,128,778 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/09/22 14:42:24 | 000,003,249 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2011/09/21 21:48:40 | 001,483,725 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemCheck_enUS.exe
[2011/09/16 03:21:12 | 000,000,213 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Portal.url
[2011/09/16 02:48:00 | 000,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2011/09/16 02:47:33 | 001,606,656 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SteamInstall.msi
[2011/09/12 15:37:02 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7I.DLL
[2011/09/08 15:19:30 | 2519,352,790 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Files to Transfer.rar
[2011/06/02 21:09:07 | 000,280,276 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/06/02 21:09:04 | 000,280,276 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/06/02 21:09:04 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/06/02 21:08:38 | 002,293,194 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2011/01/06 17:33:23 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/11 22:10:51 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\CSHelper.exe
[2010/04/23 03:00:03 | 000,000,005 | ---- | C] () -- C:\WINDOWS\treeskp.sys
[2010/04/23 03:00:03 | 000,000,005 | ---- | C] () -- C:\WINDOWS\sbacknt.bin
[2010/02/25 20:01:29 | 000,009,968 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\621Yn0On344RP
[2010/02/07 08:19:36 | 000,127,456 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/16 07:27:40 | 000,037,576 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/09/02 02:37:26 | 000,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/06/30 22:14:21 | 000,055,726 | ---- | C] () -- C:\WINDOWS\DIIUnin.dat
[2009/01/22 17:26:18 | 000,143,706 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/03/07 02:11:25 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2007/11/06 16:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2007/03/16 02:36:36 | 000,146,839 | -H-- | C] () -- C:\Documents and Settings\Owner\Application Data\Cosmos Prefs
[2006/11/23 13:55:11 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2006/11/19 18:31:56 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ZyDelReg.exe
[2006/11/19 18:31:55 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2006/11/19 18:31:55 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2006/05/10 00:14:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2006/04/28 19:03:52 | 000,012,486 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/04/06 13:16:20 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2006/02/13 18:47:43 | 010,284,336 | ---- | C] () -- C:\Program Files\Avast Setup.exe
[2006/02/11 19:24:15 | 001,847,742 | ---- | C] () -- C:\Program Files\InstallSB.exe
[2006/01/22 22:59:28 | 000,045,540 | ---- | C] () -- C:\Program Files\untitled image
[2006/01/08 17:40:15 | 011,284,970 | ---- | C] () -- C:\Program Files\cdbxp_setup_3.0.116.zip
[2005/12/12 00:53:42 | 000,937,001 | ---- | C] () -- C:\Program Files\slsk156c.exe
[2005/12/10 23:19:28 | 001,014,477 | ---- | C] () -- C:\Program Files\wrar351.exe
[2005/12/10 16:41:58 | 003,620,864 | ---- | C] () -- C:\Program Files\Final_Fantasy_7_TurksInPursuit_OC_ReMix.mp3
[2005/12/10 16:40:40 | 004,630,453 | ---- | C] () -- C:\Program Files\Final_Fantasy_7_FightOn_OC_ReMix.mp3
[2005/12/10 16:34:10 | 004,168,636 | ---- | C] () -- C:\Program Files\zelda.mp3
[2005/11/30 18:39:07 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/16 00:38:00 | 000,647,168 | ---- | C] () -- C:\WINDOWS\System32\pqdvdb.dll
[2005/11/06 15:28:04 | 000,010,930 | ---- | C] () -- C:\Program Files\mariel's senior outlne.htm
[2005/11/04 22:47:35 | 000,001,619 | ---- | C] () -- C:\Program Files\Baja.jpg
[2005/10/31 20:10:12 | 002,298,775 | ---- | C] () -- C:\Program Files\jcrea350.zip
[2005/09/22 14:12:24 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\sysinfo.dll
[2005/08/20 14:07:12 | 000,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/08/20 14:05:36 | 005,176,904 | ---- | C] () -- C:\Program Files\winamp5094_full_emusic-7plus.exe
[2005/08/18 00:07:05 | 000,130,048 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2005/08/12 23:24:54 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/03/31 11:52:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/03/04 15:10:36 | 000,106,496 | ---- | C] () -- C:\WINDOWS\bdoscandel.exe
[2005/03/01 16:30:20 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2004/12/18 23:12:27 | 000,007,376 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/12/17 14:51:03 | 000,006,048 | ---- | C] () -- C:\WINDOWS\System32\MCC16.dll
[2004/12/14 15:33:41 | 000,000,335 | ---- | C] () -- C:\WINDOWS\IN1LOS151.ini
[2004/12/12 17:09:01 | 000,000,181 | ---- | C] () -- C:\WINDOWS\upst.ini
[2004/12/12 17:09:01 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2004/12/10 12:36:59 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhlp32.ini
[2004/12/10 12:35:48 | 000,017,552 | ---- | C] () -- C:\WINDOWS\System32\TTYTWIN.DRV
[2004/12/10 12:35:33 | 000,117,760 | ---- | C] () -- C:\WINDOWS\System32\NCSPI8EN.DLL
[2004/12/10 12:35:23 | 000,022,480 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI16.DLL
[2004/12/10 12:35:23 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI32.DLL
[2004/12/10 12:21:44 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\EmbeddedDX.dll
[2004/12/10 12:21:44 | 000,010,875 | ---- | C] () -- C:\WINDOWS\ESOA.INI
[2004/12/10 12:21:44 | 000,003,679 | ---- | C] () -- C:\WINDOWS\GrAddrBk.ini
[2004/12/10 12:21:44 | 000,000,995 | ---- | C] () -- C:\WINDOWS\GRACE.INI
[2004/12/10 12:21:44 | 000,000,053 | ---- | C] () -- C:\WINDOWS\PRSRVDLL.INI
[2004/12/10 12:21:11 | 000,001,315 | ---- | C] () -- C:\WINDOWS\winpoint.ini
[2004/11/14 20:44:43 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/10/26 18:39:05 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/09/20 22:10:28 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2004/09/19 10:41:34 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\3dfx_3d.dll
[2004/08/26 22:02:59 | 000,000,227 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2004/08/26 22:02:55 | 000,045,568 | ---- | C] () -- C:\WINDOWS\UniFish3.exe
[2004/08/17 18:47:21 | 000,000,490 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/08/15 21:57:30 | 000,000,281 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2004/08/05 17:49:12 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2004/08/05 17:49:12 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2004/07/10 19:55:38 | 000,252,416 | ---- | C] () -- C:\WINDOWS\System32\wsiShared.dll
[2004/06/09 20:08:54 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Owner.ini
[2004/05/09 01:47:37 | 000,035,382 | ---- | C] () -- C:\WINDOWS\scunin.dat
[2004/04/29 22:22:45 | 000,199,168 | ---- | C] () -- C:\WINDOWS\Uninstall.exe
[2004/04/29 05:30:36 | 003,130,856 | -H-- | C] () -- C:\WINDOWS\System32\kyf.dat
[2004/04/26 20:13:35 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/04/26 17:21:34 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2004/04/26 17:21:33 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2004/04/26 17:13:25 | 000,007,287 | ---- | C] () -- C:\WINDOWS\hpdj5100.ini
[2004/04/26 17:12:59 | 000,000,470 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2004/03/30 16:47:44 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\nl_msgs.dll
[2004/03/30 16:47:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\nl_msgc.dll
[2004/02/26 14:20:16 | 000,065,588 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2004/02/12 16:45:55 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/02/12 16:45:55 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/02/12 16:45:04 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/02/12 16:45:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/02/12 16:21:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/02/12 16:21:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/02/12 16:21:29 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/02/12 16:21:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/02/12 16:21:17 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/01/22 12:00:28 | 000,012,635 | ---- | C] () -- C:\WINDOWS\System32\DAntivirus.ini
[2004/01/22 05:26:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/01/22 05:26:02 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/01/21 06:04:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/21 05:52:52 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2004/01/21 00:04:56 | 000,000,128 | -H-- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/01/21 00:02:24 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/01/20 23:59:54 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66.exe
[2004/01/20 23:56:41 | 000,030,197 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/01/20 23:56:16 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2004/01/20 23:55:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/01/20 23:42:36 | 000,000,600 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/20 23:34:02 | 000,000,907 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/01/20 22:54:01 | 000,006,848 | ---- | C] () -- C:\WINDOWS\System32\hphmon05.dat
[2004/01/20 22:53:56 | 000,018,341 | ---- | C] () -- C:\WINDOWS\HPHins01.dat
[2004/01/20 22:53:56 | 000,004,308 | ---- | C] () -- C:\WINDOWS\hphmdl01.dat
[2004/01/20 22:47:44 | 000,034,468 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2004/01/20 22:47:44 | 000,028,885 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2004/01/20 22:39:28 | 000,015,415 | ---- | C] () -- C:\WINDOWS\hpdins01.dat
[2004/01/20 22:39:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpzmdl01.dat
[2004/01/20 22:30:23 | 000,016,306 | ---- | C] () -- C:\WINDOWS\hpqins01.dat
[2004/01/20 22:30:23 | 000,002,673 | ---- | C] () -- C:\WINDOWS\hpimdl01.dat
[2004/01/20 22:21:37 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/20 22:14:41 | 000,001,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2004/01/20 22:10:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis760.bin
[2004/01/20 22:10:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis741.bin
[2004/01/20 22:10:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis660.bin
[2004/01/20 21:47:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/20 21:38:07 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/01/20 21:38:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/01/20 21:37:39 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/01/20 21:20:37 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/01/20 21:18:59 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/01/20 21:14:17 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/01/20 20:05:12 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/20 20:04:38 | 000,434,028 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/01/20 20:04:38 | 000,068,188 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/01/20 13:09:43 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/01/20 13:08:48 | 000,215,264 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/09/23 04:19:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/05/16 01:15:18 | 000,225,209 | ---- | C] () -- C:\WINDOWS\System32\C9930A.bin
[2003/03/27 15:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/03/07 02:53:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\hpnvr82.dll
[2003/02/04 08:22:30 | 000,181,312 | ---- | C] () -- C:\WINDOWS\System32\ScsiAccess.EXE
[2003/01/08 02:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/05 18:51:00 | 000,059,392 | R--- | C] () -- C:\WINDOWS\streamhlp.dll
[2000/09/08 16:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

========== LOP Check ==========

[2009/07/29 17:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/03/14 19:29:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
[2011/10/03 00:44:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2006/05/10 00:10:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/09/12 15:37:08 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/02/28 03:23:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2007/03/15 17:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/07/29 17:19:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/07/17 04:30:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/07/08 03:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.minecraft
[2005/12/05 21:24:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\acccore
[2005/08/10 10:58:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\ACD Systems
[2005/12/05 22:01:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Aim
[2009/03/14 19:29:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\AVG7
[2011/10/02 08:16:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Babylon
[2011/08/03 05:19:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Crayon Physics Deluxe
[2007/03/14 00:36:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Helios
[2006/05/26 00:28:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2004/04/26 21:04:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2010/07/27 16:27:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Keynote Systems
[2004/06/25 02:13:58 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2005/01/23 17:03:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\LockTime
[2005/09/24 09:31:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Lycos
[2008/07/30 03:00:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
[2006/09/27 23:16:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\ourTunes
[2007/03/15 17:49:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\RecordPad
[2011/06/23 01:26:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\RIFT
[2004/01/21 00:29:05 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2008/06/04 04:19:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SoundSpectrum
[2010/08/22 06:03:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\StealthBot
[2004/05/01 16:07:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\STOPzilla!
[2010/01/27 20:24:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Subversion
[2010/06/03 19:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
[2005/11/14 01:27:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2008/06/01 16:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2011/08/25 03:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
[2007/06/15 08:11:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2011/06/14 04:19:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data\wsInspector
[2010/04/07 07:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\XBList
[2011/09/27 18:10:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 784 bytes -> C:\WINDOWS\3972701242:3311613203.exe

< End of report >


Thank you much again =)
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello drewdreworld and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

NOTE: You have very nasty infection! I would strongly advice you to backup all your important data from your system before you begin with the fix.

This malware tends to disable you whole system and let you with nothing. Please backup your date.

After this please continue with steps below.

Step 2

Please restart in safe mode with networking:

  • If the computer is running, shut down Windows, and then turn off the power
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe mode with networking option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3

Please don't forget to include these items in your reply:

  • Combofix log
It would be helpful if you could post each log in separate post
  • 0

#3
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Hi maliprog =) I appreciate your help much!

I have downloaded and run Combofix and it told me I was infected with rootkit ZeroAccess. And now it's saying it "has detected the peresence of rootkit activity and needs to reboot the machine." There is an OK button underneath it. I'm assuming I click it and I reboot. I wanted to check on that though. And I also wanted to ask if you wanted me to let it reboot however it wanted to or if you wanted me to make sure it reboots back into safe mode with networking. Will wait to click the OK button til I see your reply =)

Edit for clarity: The scan was only running maybe 30 seconds after it "Created the restore point" before it popped up with the first message about rootkit.ZeroAccess and I clicked OK then the second aforementioned message regarding rebooting popped up.

Edited by drewdreworld, 03 October 2011 - 01:48 AM.

  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Let it reboot whenever it wants. Just follow prompts and let it do its magic.
  • 0

#5
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
"Adobe Download manager" or something just popped up in my firefox. But the previous random string of numbers.exe process is missing. And I'm not having any issues opening task manager right now. There's also a process called "getPlusPlus_Adobe.." that's running that I've never seen before. Here's the Combofix log:

ComboFix 11-10-02.03 - Owner 10/03/2011 3:56.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1187 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\PbOVsnXuaBESx.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Guest\WINDOWS
c:\documents and settings\Owner\HCUpgrade3.1.exe
c:\documents and settings\Owner\Start Menu\Programs\1964.lnk
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\UpdatusUser\WINDOWS
C:\install.exe
c:\program files\Image Converter .EXE
c:\program files\Image Converter .EXE\blank.gif
c:\program files\Image Converter .EXE\compare template.html
c:\program files\Image Converter .EXE\detail template.html
c:\program files\Image Converter .EXE\Help\CommandLines.htm
c:\program files\Image Converter .EXE\Help\pv_registration.mht
c:\program files\Image Converter .EXE\imageconverter.exe
c:\program files\Image Converter .EXE\license.txt
c:\program files\Image Converter .EXE\logfile.txt
c:\program files\Image Converter .EXE\thumbnail template.html
c:\program files\Image Converter .EXE\unins000.dat
c:\program files\Image Converter .EXE\unins000.exe
c:\program files\Image Converter .EXE\Web\Image Converter .EXE Home Page.url
c:\program files\Image Converter .EXE\Web\Order Image Converter .EXE.url
c:\program files\Image Converter .EXE\Web\SoftTech InterCorp.url
c:\program files\messenger\msmsgsin.exe
c:\program files\winamp5094_full_emusic-7plus.exe
c:\windows\$BLSTUN$
c:\windows\$BLSTUN$\apUninstall.exe
c:\windows\$BLSTUN$\lmatn.dll
c:\windows\$BLSTUN$\qgnnv.dll
c:\windows\$NtUninstallKB3983$
c:\windows\$NtUninstallKB3983$\23825295
c:\windows\$NtUninstallKB3983$\983354092\@
c:\windows\$NtUninstallKB3983$\983354092\bckfg.tmp
c:\windows\$NtUninstallKB3983$\983354092\cfg.ini
c:\windows\$NtUninstallKB3983$\983354092\Desktop.ini
c:\windows\$NtUninstallKB3983$\983354092\keywords
c:\windows\$NtUninstallKB3983$\983354092\kwrd.dll
c:\windows\$NtUninstallKB3983$\983354092\L\jagjohea
c:\windows\$NtUninstallKB3983$\983354092\U\[email protected]
c:\windows\$NtUninstallKB3983$\983354092\U\[email protected]
c:\windows\$NtUninstallKB3983$\983354092\U\[email protected]
c:\windows\$NtUninstallKB3983$\983354092\U\[email protected]
c:\windows\dasetup.log
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\d3d9caps.dat
c:\windows\system32\SysInfo.dll
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_3a9ccaec
.
.
((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-03 07:46 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-10-03 07:46 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-03 06:00 . 2011-10-03 06:00 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-10-03 06:00 . 2011-10-03 06:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-03 05:56 . 2011-10-03 05:56 120832 ----a-w- c:\windows\system32\drivers\19511.sys
2011-10-03 05:37 . 2010-11-09 18:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-03 05:37 . 2010-11-09 18:56 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-10-03 05:37 . 2011-10-03 05:37 -------- dc----w- C:\VIPRERESCUE
2011-10-03 05:04 . 2011-10-03 05:04 120832 ----a-w- c:\windows\system32\drivers\60222.sys
2011-10-03 05:04 . 2011-10-03 05:04 73728 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\44221.tmp
2011-10-03 04:44 . 2011-10-03 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2011-10-03 04:44 . 2011-10-03 04:44 120832 ----a-w- c:\windows\system32\drivers\79010.sys
2011-10-03 02:58 . 2011-10-03 02:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-02 22:35 . 2011-10-02 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Babylon
2011-10-02 22:35 . 2011-10-02 22:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Babylon
2011-10-02 12:16 . 2011-10-02 12:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Babylon
2011-10-02 12:16 . 2011-10-02 12:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Babylon
2011-09-27 08:56 . 2011-09-27 08:56 -------- d-----w- c:\program files\Microsoft Silverlight
2011-09-24 07:49 . 2011-09-24 07:49 -------- d-----w- c:\documents and settings\Owner\Application Data\NVIDIA
2011-09-22 18:44 . 2011-10-03 08:10 -------- d-----w- c:\documents and settings\UpdatusUser
2011-09-22 18:44 . 2011-09-22 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-09-22 18:43 . 2011-08-03 11:49 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-09-16 06:47 . 2011-09-16 06:47 -------- d-----w- c:\program files\Common Files\Steam
2011-09-16 06:47 . 2011-09-24 07:47 -------- d-----w- c:\program files\Steam
2011-09-15 21:50 . 2011-09-15 21:50 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-09-12 19:37 . 2011-09-12 19:37 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2011-09-12 19:37 . 2011-09-12 19:37 -------- dc----w- C:\CanonMP
2011-09-12 19:37 . 2005-05-07 16:00 8704 ----a-w- c:\windows\system32\CNMVS7I.DLL
2011-09-12 19:37 . 2005-05-07 16:00 59392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP7I.DLL
2011-09-12 19:37 . 2005-05-07 16:00 20992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD7I.DLL
2011-09-12 19:37 . 2005-05-07 16:00 140288 ----a-w- c:\windows\system32\CNMLM7I.DLL
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 05:34 . 2009-03-15 20:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-03 05:22 . 2004-02-12 20:23 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-09-13 18:16 . 2011-06-17 02:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-03 11:49 . 2011-06-03 01:09 914024 ----a-w- c:\windows\system32\nvdispco32.dll
2011-08-03 11:49 . 2011-06-03 01:09 875112 ----a-w- c:\windows\system32\nvgenco32.dll
2011-08-03 11:49 . 2011-06-03 01:08 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-08-03 11:49 . 2011-06-03 01:08 2387560 ----a-w- c:\windows\system32\nvcuvid.dll
2011-08-03 11:49 . 2011-06-03 01:08 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-08-03 11:49 . 2011-06-03 01:08 17186816 ----a-w- c:\windows\system32\nvcompiler.dll
2011-08-03 11:49 . 2010-10-16 16:05 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-08-03 11:49 . 2010-10-16 16:05 146024 ----a-w- c:\windows\system32\nvsvc32.exe
2011-08-03 11:49 . 2010-10-16 16:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-08-03 11:49 . 2010-10-16 16:05 13892200 ----a-w- c:\windows\system32\nvcpl.dll
2011-08-03 11:49 . 2010-10-16 16:05 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-08-03 11:49 . 2008-05-16 18:01 5427200 ----a-w- c:\windows\system32\nvcuda.dll
2011-08-03 11:49 . 2008-05-16 18:01 2404864 ----a-w- c:\windows\system32\nvapi.dll
2011-08-03 11:49 . 2004-01-21 02:12 4210816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-08-03 11:49 . 2004-01-21 02:12 16191488 ----a-w- c:\windows\system32\nvoglnt.dll
2011-08-03 11:49 . 2004-01-21 02:12 12542592 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-08-12 02:10 . 2010-08-12 02:09 1715904 ----a-w- c:\program files\Synapse_FX_42.exe
2006-02-13 22:47 . 2006-02-13 22:47 10284336 ----a-w- c:\program files\Avast Setup.exe
2006-02-11 23:24 . 2006-02-11 23:24 1847742 ----a-w- c:\program files\InstallSB.exe
2006-01-08 21:42 . 2006-01-08 21:42 4057200 ----a-w- c:\program files\wmfdist.exe
2005-12-12 04:53 . 2005-12-12 04:53 937001 ----a-w- c:\program files\slsk156c.exe
2005-12-11 03:19 . 2005-12-11 03:19 1014477 ----a-w- c:\program files\wrar351.exe
2005-11-28 22:07 . 2005-11-28 22:07 34412848 ----a-w- c:\program files\iTunesSetup.exe
2005-08-10 14:56 . 2005-08-10 14:56 15591520 ----a-w- c:\program files\acdsee.exe
2005-07-05 03:47 . 2005-07-05 03:47 2439339 ----a-w- c:\program files\imgconvert.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-04 221184]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
"NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"c:\\Program Files\\Starcraft\\starcraft.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102887009\\EE\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Morpheus\\Morpheus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102887009\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102887009\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Belkin\\USB F5D7050\\Wireless Utility\\Belkinwcui.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\GRETECH\\GomTVStreamer\\GomTVStreamerLive.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base19132\\SC2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base19679\\SC2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:*:Disabled:BitComet 20 TCP
"20:UDP"= 20:UDP:*:Disabled:BitComet 20 UDP
"11274:TCP"= 11274:TCP:*:Disabled:BitComet 11274 TCP
"11274:UDP"= 11274:UDP:*:Disabled:BitComet 11274 UDP
"1119:TCP"= 1119:TCP:TCP SC2
"1119:UDP"= 1119:UDP:UDP SC2
"6113:UDP"= 6113:UDP:SC2
"1120:TCP"= 1120:TCP:SC2 TCP
"3724:TCP"= 3724:TCP:SC2 DLer
"6881:TCP"= 6881:TCP:TCP
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/1/2009 6:10 PM 64160]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/3/2011 1:37 AM 98392]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [8/11/2010 10:10 PM 266240]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [9/22/2011 2:43 PM 2255464]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/29/2009 5:19 PM 24652]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 mrtRate;mrtRate; [x]
S3 ECSIoDriver_1_1_0_0;ECSIoDriver_1_1_0_0;F:\ECSIoDriver.sys [9/9/2009 10:51 PM 7040]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]
S4 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [?]
S4 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [?]
S4 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [?]
S4 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [?]
S4 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [?]
S4 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [?]
S4 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [?]
S4 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [?]
S4 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [?]
S4 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [?]
S4 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [?]
S4 VFILT;Outpost Firewall Kernel Driver;\??\c:\progra~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS --> c:\progra~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:38]
.
2011-09-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 97.81.22.195 24.177.176.38 24.178.162.3
TCP: Interfaces\{4745F59C-FBD1-4DED-BD5E-E2E880676947}: NameServer = 192.168.1.1
DPF: {C2CFE28D-36EA-4E38-A9E6-092E3C95070C} - hxxps://www.info1online.com/screens/GetLOSCab.asp?LOSType=151
DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - hxxp://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\znjby5yg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Move Media Player: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Temp Installer: {77868449-f49d-d6ec-3145-e651161b1ff8} - %profile%\extensions\{77868449-f49d-d6ec-3145-e651161b1ff8}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{795F4311-02C9-4B7B-A9BB-78D4FE68A98D} - c:\windows\$BLSTUN$\lmatn.dll
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-PbOVsnXuaBESx.exe - c:\documents and settings\All Users\Application Data\PbOVsnXuaBESx.exe
SafeBoot-41970985.sys
AddRemove-$BLSTUN$ - c:\windows\$BLSTUN$\apUninstall.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-StealthBot v2.6 Revision 3 - c:\program files\StealthBot\uninst.exe
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
AddRemove-{F1CBC6F7-D82D-4DC5-B81C-9A14F418593A}_is1 - c:\program files\WC3Banlist\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-03 04:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ee,b9,34,d9,6e,a8,b7,4b,85,76,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ee,b9,34,d9,6e,a8,b7,4b,85,76,7b,\
.
[HKEY_USERS\S-1-5-21-3688595327-2197772989-1471239438-1003\Software\SecuROM\License information*]
"datasecu"=hex:74,25,fe,4b,ba,d5,b6,6b,4d,be,58,f3,72,a7,30,bb,b9,bd,dd,bf,1b,
ef,80,dc,2a,e8,54,8a,88,0e,d1,da,e6,2d,91,b5,d0,3b,f3,7c,16,42,2a,a2,af,a2,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3596)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\RunDLL32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\ScsiAccess.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-03 04:30:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-03 08:30
ComboFix2.txt 2010-02-26 20:40
.
Pre-Run: 11,792,498,688 bytes free
Post-Run: 11,985,612,800 bytes free
.
- - End Of File - - 7CA7680A1D539862EFD76E02BFE57D43


Thanks again for fast reply =) I will probably be awake another 2-3 hours before sleep.

Edit: Tried running Starcraft2 to see if that would run (since it had been crashing abnormally since the infection this morning) and it crashed upon startup. So it was either corrupted or is still being affected. If you think it's just corrupted let me know, reinstall isn't a huge deal =D

Edited by drewdreworld, 03 October 2011 - 02:52 AM.

  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Good job! Combofix removed main component of infection but you still have infection files on your system.

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O2 - BHO: (adfabonppr Object) - {26D02F99-AE5B-4533-AD67-E23B4B20D60D} - C:\WINDOWS\$BLSTUN$\qgnnv.dll ()
    O2 - BHO: (brumabonpgrm Object) - {795F4311-02C9-4B7B-A9BB-78D4FE68A98D} - C:\WINDOWS\$BLSTUN$\lmatn.dll ()
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    [2011/10/03 01:57:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3972701242
    [2011/10/03 01:56:02 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\19511.sys
    [2011/10/03 01:55:00 | 000,462,336 | ---- | M] (Daniel Pistelli) -- C:\Documents and Settings\All Users\Application Data\PbOVsnXuaBESx.exe
    [2011/10/03 01:04:06 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\60222.sys
    [2011/10/03 00:44:01 | 000,120,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\79010.sys
    [2011/10/02 19:46:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3972701242
    [2010/02/25 20:01:29 | 000,009,968 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\621Yn0On344RP
    [2006/11/19 18:31:56 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ZyDelReg.exe
    [2006/11/19 18:31:55 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
    [2006/11/19 18:31:55 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
    [2004/04/29 05:30:36 | 003,130,856 | -H-- | C] () -- C:\WINDOWS\System32\kyf.dat
    @Alternate Data Stream - 784 bytes -> C:\WINDOWS\3972701242:3311613203.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Step 3

Please don't forget to include these items in your reply:

  • OTL fix log
  • VRT log
It would be helpful if you could post each log in separate post
  • 0

#7
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Getting this error msg/screen when I try to input my email and first name/last name to download the kaspersky antivirus..
HTTP Status 400 -

type Status report

message

description The request sent by the client was syntactically incorrect ().
Apache Tomcat/5.5.20

Here's the log after the most recent OTL though..

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{26D02F99-AE5B-4533-AD67-E23B4B20D60D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26D02F99-AE5B-4533-AD67-E23B4B20D60D}\ not found.
File C:\WINDOWS\$BLSTUN$\qgnnv.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{795F4311-02C9-4B7B-A9BB-78D4FE68A98D}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{795F4311-02C9-4B7B-A9BB-78D4FE68A98D}\ not found.
File C:\WINDOWS\$BLSTUN$\lmatn.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
File C:\WINDOWS\3972701242 not found.
C:\WINDOWS\system32\drivers\19511.sys moved successfully.
File C:\Documents and Settings\All Users\Application Data\PbOVsnXuaBESx.exe not found.
C:\WINDOWS\system32\drivers\60222.sys moved successfully.
C:\WINDOWS\system32\drivers\79010.sys moved successfully.
File C:\WINDOWS\3972701242 not found.
C:\Documents and Settings\Owner\Local Settings\Application Data\621Yn0On344RP moved successfully.
C:\WINDOWS\system32\ZyDelReg.exe moved successfully.
C:\WINDOWS\system32\InsDrvZD.dll moved successfully.
C:\WINDOWS\system32\InsDrvZD64.DLL moved successfully.
C:\WINDOWS\system32\kyf.dat moved successfully.
Unable to delete ADS C:\WINDOWS\3972701242:3311613203.exe .
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 4136 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34190 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 28306693 bytes
->Flash cache emptied: 731 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 27.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: Guest
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.29.1 log created on 10032011_054655

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#8
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Try do download latest version from This link.

If you fail try another browser.
  • 0

#9
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
That link worked =D it's estimating to be done in 11 hours so I'll post back when it's done. Thanks much again!
  • 0

#10
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
Phew! Scan finally finished =D I have the scan report.txt as well as the detected threats.txt.. here's copy+paste of the detected threats.txt...

Status: Disinfected (events: 3)
10/3/2011 5:20:48 PM Disinfected Trojan program Trojan.Win32.Agent.ogkp C:\Documents and Settings\Owner\My Documents\W3XNameSpooferPro11101.zip High
10/3/2011 5:20:48 PM Disinfected Trojan program Trojan.Win32.Agent.ogkp C:\Documents and Settings\Owner\My Documents\W3XNameSpooferPro11101.zip/W3XNameSpooferPro11101/W3XNameSpooferPro11101.exe High
10/3/2011 8:04:40 PM Disinfected virus Virus.Win32.TDSS.e c:\WINDOWS\system32\drivers\volsnap.sys High
Status: Deleted (events: 32)
10/3/2011 5:25:18 PM Deleted Trojan program Trojan.Win32.Agent.ogkp C:\Documents and Settings\Owner\My Documents\download\drewdreworld\Pre-Sept 06 Files\W3XNameSpooferPro11101.exe High
10/3/2011 5:21:33 PM Deleted Trojan program Trojan.Win32.Agent.ogkp C:\Documents and Settings\Owner\My Documents\W3XNameSpooferPro11101\W3XNameSpooferPro11101\W3XNameSpooferPro11101.exe High
10/3/2011 5:21:31 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\AppRecoveryLink_ret.exe High
10/3/2011 5:26:00 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\CDLogic_ret.exe High
10/3/2011 5:26:01 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\CreatorLink_ret.exe High
10/3/2011 5:26:01 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\RestoreLink_ret.exe High
10/3/2011 5:26:49 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\RTCDLink_ret.exe High
10/3/2011 5:26:50 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\RunLink_ret.exe High
10/3/2011 5:26:49 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\SysRecoveryLink_ret.exe High
10/3/2011 5:26:51 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\hp\recovery\wizard\fscommand\WizardLink_ret.exe High
10/3/2011 6:24:55 PM Deleted Trojan program Trojan.Win32.Jorik.Fraud.emd C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\PbOVsnXuaBESx.exe.vir High
10/3/2011 6:24:56 PM Deleted Trojan program Trojan.Win32.BHO.brag C:\Qoobox\Quarantine\C\WINDOWS\$BLSTUN$\lmatn.dll.vir High
10/3/2011 6:26:13 PM Deleted adware not-a-virus:AdWare.Win32.BHO.abif C:\Qoobox\Quarantine\C\WINDOWS\$BLSTUN$\qgnnv.dll.vir Medium
10/3/2011 6:49:33 PM Deleted Trojan program Trojan.Win32.BHO.brag C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1575\A0493709.dll High
10/3/2011 6:49:37 PM Deleted adware not-a-virus:AdWare.Win32.BHO.abif C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1575\A0493710.dll Medium
10/3/2011 6:51:50 PM Deleted Trojan program Trojan.Win32.FraudPack.cuur C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1575\A0495728.exe High
10/3/2011 6:51:56 PM Deleted Trojan program Trojan.Win32.Jorik.Fraud.emd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1575\A0495740.exe High
10/3/2011 6:52:40 PM Deleted Trojan program Trojan.Win32.Jorik.Fraud.emd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0498773.exe High
10/3/2011 6:52:49 PM Deleted adware not-a-virus:AdWare.Win32.BHO.abif C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0498818.dll Medium
10/3/2011 6:53:48 PM Deleted Trojan program Trojan.Win32.BHO.brag C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0498819.dll High
10/3/2011 6:53:52 PM Deleted Trojan program Trojan.Win32.FraudPack.cuur C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0498911.exe High
10/3/2011 6:53:57 PM Deleted Trojan program Trojan.Win32.Jorik.Fraud.emd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501063.exe High
10/3/2011 6:54:03 PM Deleted Trojan program Trojan.Win32.BHO.brag C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501072.dll High
10/3/2011 6:54:07 PM Deleted adware not-a-virus:AdWare.Win32.BHO.abif C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501073.dll Medium
10/3/2011 6:54:26 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501184.exe High
10/3/2011 6:54:27 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501185.exe High
10/3/2011 6:54:32 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501186.exe High
10/3/2011 6:54:32 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501187.exe High
10/3/2011 6:54:34 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501188.exe High
10/3/2011 6:54:35 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501189.exe High
10/3/2011 6:54:36 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501190.exe High
10/3/2011 6:54:37 PM Deleted Trojan program Trojan-Spy.Win32.Agent.bdrd C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501191.exe High
Status: Quarantined (events: 8)
10/3/2011 6:52:38 PM Quarantined virus Virus.Win32.Suspic.gen C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0498772.sys High
10/3/2011 7:27:19 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\WINDOWS\system32\spool\prtprocs\w32x86\44221.tmp High
10/3/2011 7:27:18 PM Quarantined virus Virus.Win32.Suspic.gen C:\_OTL\MovedFiles\10032011_054655\C_WINDOWS\system32\drivers\19511.sys High
10/3/2011 7:27:23 PM Quarantined virus Virus.Win32.Suspic.gen C:\_OTL\MovedFiles\10032011_054655\C_WINDOWS\system32\drivers\60222.sys High
10/3/2011 7:27:25 PM Quarantined virus Virus.Win32.Suspic.gen C:\_OTL\MovedFiles\10032011_054655\C_WINDOWS\system32\drivers\79010.sys High
10/3/2011 8:57:59 PM Quarantined virus Virus.Win32.Suspic.gen C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501193.sys High
10/3/2011 8:58:02 PM Quarantined virus Virus.Win32.Suspic.gen C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501194.sys High
10/3/2011 8:58:03 PM Quarantined virus Virus.Win32.Suspic.gen C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP1576\A0501195.sys High






Edit: There was a point where it rebooted to disinfect and there was a seperate log that I didn't remember to save =( I'm sorry =( called the disinfected log or something I think.

Edited by drewdreworld, 03 October 2011 - 08:47 PM.

  • 0

#11
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi drewdreworld,

VRT did great job. How is your system now? Problems?
  • 0

#12
drewdreworld

drewdreworld

    Member

  • Topic Starter
  • Member
  • PipPip
  • 90 posts
It seems to be running much better I haven't really done much random googling to check for the broswer hijack but starcraft is running well again and what not =D I appreciate your help very very much!!
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Glad to hear that. Use your PC as you always do and I'll prepare some cleanup for you. Stay tunned...
  • 0

#14
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi drewdreworld,

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#15
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP