Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Create an Account Login to Account

Stubborn Infection: WIN32.PUP.Bandoo [Closed]


  • This topic is locked This topic is locked

#1
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
I like to run a smooth ship and so run weekly diagnostics. I have had this infection for some weeks now and cannot get rid of it. Googling it didn't return anything useful with the exception of a French site's suggestion to run the computer in Safe Mode and then run Ad-aware again. They chap said that would allow the infection flagged by ad-aware to be got rid of. Sounded reasonable so I tried to do that and to my surprise found that I can no longer run my laptop in Safe Mode, it simply auto shutsdown. Weird! I would be grateful for any help. Thank you very much. Here's the OTL log:

OTL logfile created on: 2/2/2012 10:11:59 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 55.74% Memory free
3.72 Gb Paging File | 2.95 Gb Available in Paging File | 79.35% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.63 Gb Total Space | 73.60 Gb Free Space | 75.38% Space Free | Partition Type: FAT32
Drive D: | 68.36 Gb Total Space | 14.02 Gb Free Space | 20.51% Space Free | Partition Type: NTFS
Drive E: | 66.86 Gb Total Space | 12.72 Gb Free Space | 19.02% Space Free | Partition Type: NTFS

Computer Name: DAVID-D044439A7 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/02 22:11:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\desktop\OTL.exe
PRC - [2012/02/02 11:48:06 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2012/01/29 21:52:46 | 000,949,104 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2012/01/11 11:08:40 | 001,528,376 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
PRC - [2012/01/11 11:08:40 | 000,845,880 | ---- | M] () -- C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
PRC - [2011/12/29 22:29:04 | 000,497,496 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe
PRC - [2011/09/04 12:07:22 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2011/09/03 20:39:54 | 000,269,480 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/04/21 07:54:06 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/04/21 07:53:50 | 000,136,360 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/04/21 07:53:34 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/04/05 16:46:08 | 000,288,040 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2010/03/23 13:22:26 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2010/02/17 15:34:40 | 000,054,568 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2009/01/31 22:43:30 | 000,049,250 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
PRC - [2007/02/16 09:58:12 | 000,856,064 | ---- | M] (Christian Diefer) -- C:\Program Files\I8kfanGUI\I8kfanGUI.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/29 21:52:56 | 000,316,928 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstoggdec.dll
MOD - [2012/01/29 21:52:56 | 000,275,968 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwebmdec.dll
MOD - [2012/01/29 21:52:56 | 000,168,448 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstffmpegcolorspace.dll
MOD - [2012/01/29 21:52:56 | 000,078,336 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwavparse.dll
MOD - [2012/01/29 21:52:56 | 000,076,800 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstdirectsound.dll
MOD - [2012/01/29 21:52:56 | 000,064,000 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstautodetect.dll
MOD - [2012/01/29 21:52:56 | 000,046,592 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstwaveform.dll
MOD - [2012/01/29 21:52:56 | 000,045,568 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gsttypefindfunctions.dll
MOD - [2012/01/29 21:52:54 | 000,783,360 | ---- | M] () -- C:\Program Files\Opera\gstreamer\gstreamer.dll
MOD - [2012/01/29 21:52:54 | 000,099,840 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstcoreplugins.dll
MOD - [2012/01/29 21:52:54 | 000,098,816 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstaudioresample.dll
MOD - [2012/01/29 21:52:54 | 000,098,816 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstaudioconvert.dll
MOD - [2012/01/29 21:52:54 | 000,068,608 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstdecodebin2.dll
MOD - [2012/01/11 11:08:40 | 000,845,880 | ---- | M] () -- C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
MOD - [2011/11/22 12:23:38 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/11/10 22:43:26 | 000,138,072 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\ASCv5ExtMenu.dll
MOD - [2011/10/20 13:29:44 | 000,106,496 | ---- | M] () -- C:\Program Files\Opera\gstreamer\plugins\gstcoreelements.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/20 16:40:26 | 000,355,688 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/05/28 22:04:58 | 000,140,288 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2011/04/21 16:54:40 | 000,347,024 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madexcept_.bpl
MOD - [2011/04/21 16:54:40 | 000,179,088 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\madbasic_.bpl
MOD - [2011/04/21 16:54:40 | 000,046,480 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 5\maddisAsm_.bpl


========== Win32 Services (SafeList) ==========

SRV - [2011/12/29 22:29:04 | 000,497,496 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe -- (AdvancedSystemCareService5)
SRV - [2011/12/19 12:53:54 | 002,152,152 | ---- | M] (Lavasoft Limited) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/09/04 12:07:22 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/09/03 20:39:54 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/04/21 07:53:50 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/05/10 10:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - [2011/12/24 10:52:38 | 000,022,016 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Ndisrd.sys -- (NdisrdMP)
DRV - [2011/12/24 10:52:38 | 000,022,016 | ---- | M] (NT Kernel Resources) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ndisrd.sys -- (Ndisrd)
DRV - [2011/12/12 10:07:32 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2011/12/12 10:07:28 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2011/09/03 20:39:56 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/09/03 20:39:56 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011/08/24 15:25:02 | 000,171,992 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\qutmdrv.sys -- (qutmdserv)
DRV - [2011/08/23 14:12:16 | 000,142,552 | ---- | M] (360安全中心) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\360SelfProtection.sys -- (360SelfProtection)
DRV - [2011/08/22 02:21:04 | 000,156,760 | ---- | M] (360安全中心) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\360Box.sys -- (360Box)
DRV - [2011/08/16 11:22:12 | 000,063,704 | ---- | M] (360安全中心) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\Hookport.sys -- (HookPort)
DRV - [2011/07/28 20:19:20 | 000,035,160 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\qutmipc.sys -- (qutmipc)
DRV - [2011/07/22 09:27:04 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 14:55:24 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/07/06 18:16:08 | 004,137,960 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtKHDMI.sys -- (RTHDMIAzAudService)
DRV - [2011/04/07 19:43:10 | 000,154,968 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\360netmon.sys -- (360netmon)
DRV - [2011/03/16 00:19:02 | 000,083,416 | ---- | M] (360.cn) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BAPIDRV.SYS -- (BAPIDRV)
DRV - [2010/11/26 18:02:52 | 000,014,776 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2010/10/28 16:05:00 | 003,363,384 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2010/08/13 03:54:08 | 000,019,712 | ---- | M] (奇虎网) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\efimon.sys -- (EfiMon)
DRV - [2010/06/17 15:27:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 15:27:14 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2010/04/15 13:36:40 | 000,252,536 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2009/12/12 09:48:04 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2009/06/25 08:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2009/06/25 08:25:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2009/06/25 08:10:48 | 000,044,544 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009/02/25 15:58:58 | 003,565,568 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/10/11 18:40:00 | 000,009,096 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdide.sys -- (amdide)
DRV - [2007/08/02 17:35:12 | 000,989,952 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/08/02 17:34:30 | 000,211,200 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/08/02 17:34:26 | 000,731,136 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/05/10 10:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/02/16 02:05:48 | 000,014,464 | ---- | M] (Christian Diefer) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fanio.sys -- (fanio)
DRV - [2006/07/01 07:43:02 | 000,041,984 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/02/14 20:34:14 | 000,027,904 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\risdptsk.sys -- (risdptsk)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/24 01:32:20 | 000,054,912 | ---- | M] (REDC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\R592.sys -- (R592)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...?client=aff-ime
IE - HKCU\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.9\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\@qq.com/QzoneMusic: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/02/02 11:48:24 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/11 06:20:46 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\wcapturex@deskperience.com: C:\Program Files\WordWeb\WCaptureMoz [2011/09/04 14:29:10 | 000,000,000 | ---D | M]

[2011/09/11 06:21:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Extensions
[2011/10/02 13:48:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Extensions\uploadr@flickr.com
[2011/12/30 14:54:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Firefox\Profiles\2ndso3l2.default\extensions
[2012/01/26 13:00:40 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Firefox\Profiles\2ndso3l2.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/01/22 20:32:28 | 000,000,000 | ---D | M] (CCTV player plugin for Firefox) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Firefox\Profiles\2ndso3l2.default\extensions\cctvplayer-plugin@www.cctv.com
[2011/12/10 15:30:26 | 000,000,000 | ---D | M] (Popup Chinese Dictionary) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Mozilla\Firefox\Profiles\2ndso3l2.default\extensions\david.lancashire@gmail.com
[2011/09/11 06:20:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/12/13 22:36:26 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/12/12 16:54:24 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2012/01/10 11:32:42 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/10 11:32:38 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/01/10 11:32:38 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - default_search_provider: Startpage HTTPS (Enabled)
CHR - default_search_provider: search_url = https://startpage.co...anguage=english
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Chrome\Application\13.0.782.220\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome NaCl (Disabled) = C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Chrome\Application\13.0.782.220\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Chrome\Application\13.0.782.220\pdf.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2012/01/30 11:35:32 | 000,441,010 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15161 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.9\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (ncikuToolBar) - {77D8DC41-9CE3-42E2-AF46-84F9686BFE21} - C:\Program Files\nciku\Toolbar\ncikuToolbar_0_5_1_74.dll (NHN Corporation.)
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.9\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {65F8A3D2-4C22-4A33-9633-73167EAEEC45} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Google Pinyin 2 Autoupdater] C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe (Google Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Advanced SystemCare 5] C:\Program Files\IObit\Advanced SystemCare 5\ASCTray.exe (IObit)
O4 - HKCU..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe (Christian Diefer)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NolowDiskSpaceChecks = 1
O8 - Extra context menu item: Download all by FlashGet3 - C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\FlashGetBHO\GetAllUrl.htm ()
O8 - Extra context menu item: Download by FlashGet3 - C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\FlashGetBHO\GetUrl.htm ()
O8 - Extra context menu item: 使用迷你快车下载 - C:\Program Files\FlashGet Network\FlashGet Mini\GetUrl.htm File not found
O8 - Extra context menu item: 使用迷你快车下载全部链接 - C:\Program Files\FlashGet Network\FlashGet Mini\GetAllUrl.htm File not found
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D42164CE-BC45-4730-AEBE-DA35CF43E1F6}: NameServer = 221.7.128.68 221.7.136.68
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/24 19:25:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/02 22:10:59 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\OTL.exe
[2012/02/02 21:25:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012/02/02 12:24:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Recent
[2012/02/02 12:13:10 | 000,000,000 | -HSD | C] -- C:\FOUND.003
[2012/02/02 11:48:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2012/02/02 11:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Real
[2012/01/29 21:08:16 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/26 21:10:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360Login
[2012/01/26 14:13:34 | 000,000,000 | -HSD | C] -- C:\FOUND.002
[2012/01/25 20:01:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Premium
[2012/01/25 20:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
[2012/01/23 22:15:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\theWord
[2012/01/23 22:14:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\The Word
[2012/01/23 22:14:45 | 000,000,000 | ---D | C] -- C:\Program Files\The Word
[2012/01/23 22:14:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\The Word
[2012/01/23 20:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Modartt
[2012/01/23 13:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Modartt
[2012/01/23 13:06:11 | 000,000,000 | ---D | C] -- C:\Program Files\Steinberg
[2012/01/23 13:06:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Digidesign
[2012/01/23 13:06:04 | 000,000,000 | ---D | C] -- C:\Program Files\Modartt
[2012/01/13 22:59:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/01/09 12:19:38 | 000,000,000 | -HSD | C] -- C:\FOUND.001
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/02 22:11:04 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\OTL.exe
[2012/02/02 21:34:48 | 000,312,038 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/02 21:34:48 | 000,040,326 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/02 21:32:08 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012/02/02 21:31:42 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012/02/02 21:31:42 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012/02/02 21:31:02 | 000,000,296 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag_Startup.job
[2012/02/02 21:29:30 | 000,000,328 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2012/02/02 21:29:26 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-329068152-562591055-725345543-500.job
[2012/02/02 21:29:24 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/02 21:29:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/02 21:29:12 | 2011,168,768 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/02 20:35:48 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-562591055-725345543-500.job
[2012/02/02 20:23:02 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/02 12:18:20 | 000,000,627 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Pianoteq.lnk
[2012/02/02 12:17:58 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\RealPlayer.lnk
[2012/02/02 12:16:50 | 000,000,579 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\theWord.lnk
[2012/02/02 12:14:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/02 11:48:06 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2012/02/01 22:26:52 | 000,001,533 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\freeu.ini
[2012/01/30 21:27:14 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/30 10:30:26 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/01/29 09:51:38 | 000,002,283 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2012/01/28 20:31:14 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2012/01/26 12:35:08 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/24 10:36:32 | 000,031,941 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\infowarsanswer.jpg
[2012/01/22 10:12:16 | 000,000,829 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Uninstaller.lnk
[2012/01/21 11:26:34 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced SystemCare 5.lnk
[2012/01/12 21:23:44 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[12 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/02 21:29:10 | 2011,168,768 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/02 12:18:18 | 000,000,627 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Pianoteq.lnk
[2012/02/02 12:17:56 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\RealPlayer.lnk
[2012/02/02 12:16:48 | 000,000,579 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\theWord.lnk
[2012/02/02 11:49:11 | 000,000,302 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-329068152-562591055-725345543-500.job
[2012/01/24 10:36:30 | 000,031,941 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\infowarsanswer.jpg
[2012/01/22 10:12:15 | 000,000,829 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Uninstaller.lnk
[2012/01/13 16:50:02 | 000,001,533 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Desktop\freeu.ini
[2012/01/12 21:23:43 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2011/12/19 15:32:28 | 000,016,432 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2011/12/19 08:00:22 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/08 16:52:13 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/11/27 03:31:02 | 000,020,312 | ---- | C] () -- C:\WINDOWS\System32\RegistryDefragBootTime.exe
[2011/10/28 23:36:47 | 000,001,534 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2011/09/09 06:12:02 | 000,000,248 | ---- | C] () -- C:\WINDOWS\System32\secustat.dat
[2011/09/09 06:04:17 | 000,000,915 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\coreavc.ini
[2011/09/09 05:51:06 | 000,001,184 | ---- | C] () -- C:\WINDOWS\System32\secushr.dat
[2011/09/09 05:50:59 | 000,000,025 | ---- | C] () -- C:\WINDOWS\libem.INI
[2011/09/04 11:38:58 | 000,025,944 | ---- | C] () -- C:\WINDOWS\System32\SmartDefragBootTime.exe
[2011/09/04 11:38:58 | 000,014,776 | ---- | C] () -- C:\WINDOWS\System32\drivers\SmartDefragDriver.sys
[2011/09/04 07:53:25 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/09/04 07:53:25 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/09/03 21:28:51 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\housecall.guid.cache
[2011/09/03 21:26:59 | 000,070,656 | ---- | C] () -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/03 19:43:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/09/03 14:18:27 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2011/09/03 14:05:16 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/09/03 13:52:59 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/09/03 13:44:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/09/03 13:39:19 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/09/02 23:19:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2011/09/02 23:19:28 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2011/09/02 23:19:27 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2011/09/02 23:19:27 | 000,182,995 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2004/08/04 12:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 12:00:00 | 000,312,038 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 12:00:00 | 000,040,326 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 12:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/09/02 23:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/09/03 19:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2011/09/04 11:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\!SASCORE
[2011/09/04 13:07:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\360SD
[2011/09/04 13:09:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\360safe
[2011/09/09 05:25:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Storm
[2011/09/09 05:49:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Persist
[2011/09/11 06:00:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SecTaskMan
[2011/11/26 19:24:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\IObit
[2011/12/30 14:53:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\YouTube Downloader
[2011/12/31 17:00:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tencent
[2012/01/23 22:14:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\The Word
[2012/01/25 20:01:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
[2012/01/25 20:01:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Premium
[2011/09/02 23:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\dg
[2011/09/03 02:52:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Opera
[2011/09/03 03:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\IObit
[2011/09/04 13:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360safe
[2011/09/04 13:09:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360WD
[2011/09/04 13:36:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\uTorrent
[2011/09/05 20:30:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360se
[2011/09/09 05:25:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\baofengAddr
[2011/09/09 05:50:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\FlashGet
[2011/09/09 05:50:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\FlashGetBHO
[2011/09/09 05:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\FlashgetSetup
[2011/09/09 05:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\BITS
[2011/09/11 04:08:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\GlarySoft
[2011/10/02 12:49:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\PhotoScape
[2011/10/02 13:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Flickr
[2011/11/25 10:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\LocalLow
[2011/12/11 17:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\.anki
[2011/12/11 17:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\mplayer
[2011/12/11 21:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\TENCENT
[2011/12/26 08:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360Notify
[2011/12/30 14:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Search Settings
[2011/12/30 14:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\YouTube Downloader
[2011/12/31 16:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\QQMusicUpdate
[2012/01/23 20:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Modartt
[2012/01/23 22:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\The Word
[2012/01/26 21:10:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\360Login
[2012/02/02 21:32:08 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2012/02/02 21:29:30 | 000,000,328 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
[2012/02/02 21:31:02 | 000,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag_Startup.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2012/02/02 21:31:08 | 000,000,294 | ---- | M] ()(C:\WINDOWS\tasks\360????????????.job) -- C:\WINDOWS\tasks\360开机加速延迟启动任务计划.job
[2011/12/29 17:22:42 | 000,000,637 | ---- | M] ()(C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360????? 3.lnk) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360安全浏览器 3.lnk
[2011/12/29 17:22:40 | 000,000,637 | ---- | C] ()(C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360????? 3.lnk) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360安全浏览器 3.lnk
[2011/09/13 05:02:40 | 000,000,778 | ---- | M] ()(C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360????.lnk) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360软件管家.lnk
[2011/09/04 20:01:55 | 000,000,294 | ---- | C] ()(C:\WINDOWS\tasks\360????????????.job) -- C:\WINDOWS\tasks\360开机加速延迟启动任务计划.job
[2011/09/04 17:05:58 | 000,000,778 | ---- | C] ()(C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360????.lnk) -- C:\Documents and Settings\Administrator.DAVID-D044439A7\Application Data\Microsoft\Internet Explorer\Quick Launch\360软件管家.lnk
(C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\360????? 3) -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\360安全浏览器 3

< End of report >
  • 0

Similar Topics: Stubborn Infection: WIN32.PUP.Bandoo [Closed]     x


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hello daba and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Can you post last scan log that detected this malware. I suppose it was Ad-aware.

Do you recognize any of these files. It was written in non English:

(奇虎网) C:\WINDOWS\system32\drivers\efimon.sys -- (EfiMon)
(360.cn) C:\WINDOWS\system32\drivers\360netmon.sys -- (360netmon)
(360安全中心) C:\WINDOWS\system32\drivers\360SelfProtection.sys -- (360SelfProtection)
(360安全中心) C:\WINDOWS\system32\drivers\360Box.sys -- (360Box)
(360安全中心) C:\WINDOWS\System32\Drivers\Hookport.sys -- (HookPort)
C:\WINDOWS\tasks\360开机加速延迟启动任务计划.job

Step 2

Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post


Step 3

Please don't forget to include these items in your reply:

  • VRT log
It would be helpful if you could post each log in separate post
  • 0

#3
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
Maliprog hello and thank you for your willingness to help me. I have followed your instructions to the best of my ability. Unfortunately I cannot provide details of the originating Ad-aware log since in the interim, after an Avira upgrade prompt, I have uninstalled the program. Plus, I am unable to post the detected threat log since, having not detected any threats after running, the option was unactionable.

Thank you again,

Daba
  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Do you still have problem with WIN32.PUP.Bandoo after you updated Avira? How is your system now?

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#5
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
Hello Maliprog,

Thanks for your mail. I reinstalled ad-aware and ran it to see if the infection was still there: lo and behold it was. Here's the logfile:

Logfile created: 2/15/2012 20:35:45
Ad-Aware version: 9.6.0
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Administrator

*********************** Definitions database information ***********************
Lavasoft definition file: 150.723
Genotype definition file version: 2012/02/13 12:34:34
Extended engine definition file: 11548.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 152833
Objects detected: 1


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: d:\system volume information\_restore{704253ec-9b00-43a0-b650-856112df8601}\rp12\a0000851.exe Family Name: Win32.PUP.Bandoo[800] Engine: 1 Clean status: Success Item ID: 0 Family ID: 0 MD5: 76d4823d1f59389e3ec60df59a42802e

Scan and cleaning complete: Finished correctly after 56145 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\,D:\,E:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Wed Feb 15 12:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Wed Feb 15 18:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Wed Feb 15 00:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Wed Feb 15 06:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Feb 15 12:08:00 2012
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: true
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: maintainbackup, enabled:1, value: true
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: true
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: DAVID-D044439A7
Processor name: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Processor identifier: x86 Family 15 Model 104 Stepping 2
Processor speed: ~1895MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 26626, number of processors 2, processor features: [MMX,SSE,SSE2,3DNow]
Physical memory available: 573575168 bytes
Physical memory total: 2011095040 bytes
Virtual memory available: 1876090880 bytes
Virtual memory total: 2147352576 bytes
Memory load: 71%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 1280 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1340 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1388 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1432 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1444 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1612 name: C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1668 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1688 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1756 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2000 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 384 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 472 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 664 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 708 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 740 name: C:\Program Files\SUPERAntiSpyware\SASCORE.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 784 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 824 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1332 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1848 name: C:\WINDOWS\system32\STacSV.exe owner: SYSTEM domain: NT AUTHORITY
PID: 980 name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2104 name: C:\Program Files\Avira\AntiVir Desktop\avshadow.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2400 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2944 name: C:\WINDOWS\Explorer.EXE owner: Administrator domain: DAVID-D044439A7
PID: 3108 name: C:\Program Files\DellTPad\Apoint.exe owner: Administrator domain: DAVID-D044439A7
PID: 3124 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: Administrator domain: DAVID-D044439A7
PID: 3152 name: C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe owner: Administrator domain: DAVID-D044439A7
PID: 3336 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: Administrator domain: DAVID-D044439A7
PID: 3508 name: C:\Program Files\I8kfanGUI\I8kfanGUI.exe owner: Administrator domain: DAVID-D044439A7
PID: 1300 name: C:\WINDOWS\system32\ctfmon.exe owner: Administrator domain: DAVID-D044439A7
PID: 3516 name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe owner: Administrator domain: DAVID-D044439A7
PID: 3420 name: C:\Program Files\DellTPad\ApMsgFwd.exe owner: Administrator domain: DAVID-D044439A7
PID: 3588 name: C:\Program Files\DellTPad\HidFind.exe owner: Administrator domain: DAVID-D044439A7
PID: 3576 name: C:\Program Files\DellTPad\Apntex.exe owner: Administrator domain: DAVID-D044439A7
PID: 3804 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 4040 name: C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe owner: Administrator domain: DAVID-D044439A7
PID: 3116 name: C:\Program Files\Opera\opera.exe owner: Administrator domain: DAVID-D044439A7
PID: 2812 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5760 name: C:\program files\real\realplayer\update\realsched.exe owner: Administrator domain: DAVID-D044439A7
PID: 496 name: C:\Program Files\360\360se3\360se.exe owner: Administrator domain: DAVID-D044439A7
PID: 4512 name: C:\Program Files\360\360se3\SafeCentral\urlproc.exe owner: Administrator domain: DAVID-D044439A7
PID: 3280 name: C:\Program Files\360\360se3\360se.exe owner: Administrator domain: DAVID-D044439A7
PID: 5832 name: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE owner: Administrator domain: DAVID-D044439A7
PID: 4956 name: C:\Program Files\WordWeb\wweb32.exe owner: Administrator domain: DAVID-D044439A7
PID: 6136 name: C:\WINDOWS\system32\wuauclt.exe owner: Administrator domain: DAVID-D044439A7
PID: 4196 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1100 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2340 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2388 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Administrator domain: DAVID-D044439A7
PID: 5812 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Administrator domain: DAVID-D044439A7

Startup items:
Name: Apoint
imagepath: C:\Program Files\DellTPad\Apoint.exe
Name: KernelFaultCheck
imagepath: %systemroot%\system32\dumprep 0 -k
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Name: Google Pinyin 2 Autoupdater
imagepath: "C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe"
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: TkBellExe
imagepath: "C:\program files\real\realplayer\update\realsched.exe" -osboot
Name: avgnt
imagepath: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: !SASCORE
displayname: SAS Core Service
Name: AdvancedSystemCareService5
displayname: Advanced SystemCare Service 5
Name: ALG
displayname: Application Layer Gateway Service
Name: AntiVirSchedulerService
displayname: Avira Scheduler
Name: AntiVirService
displayname: Avira Realtime Protection
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: Ati HotKey Poller
displayname: Ati HotKey Poller
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: HidServ
displayname: HID Input Service
Name: iPod Service
displayname: iPod Service
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: STacSV
displayname: SigmaTel Audio Service
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: W32Time
displayname: Windows Time
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration
Name: YahooAUService
displayname: Yahoo! Updater
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
  • 0

#6
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
Forgot to add that Malwarebytes was clean.
  • 0

#7
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Hi daba,

OK. This is leftover in Restore point. I will clear all restore points and infection will be gone. Let me know result :)

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

    :Commands
    [purity]
    [emptytemp]
    [clearallrestorepoints]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

  • 0

#8
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
Ok done that. SHould I run ad-aware again to see if it's still there? Thank you for your help.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 393216 bytes
->Flash cache emptied: 675 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: All Users.WINDOWS

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34429 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 34518 bytes

User: Administrator.DAVID-D044439A7
->Temp folder emptied: 2197653 bytes
->Temporary Internet Files folder emptied: 113543016 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 52104523 bytes
->Google Chrome cache emptied: 8487017 bytes
->Opera cache emptied: 15603547 bytes
->Flash cache emptied: 86917 bytes

User: ADMINI~1~DAV

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2272875 bytes
%systemroot%\System32 .tmp files removed: 23244305 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 208.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 02162012_223043

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#9
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Yes please. Re-run ad-aware just to be sure. I'll prepare some cleanup for you :)
  • 0

#10
daba

daba

    Member

  • Member
  • PipPipPip
  • 104 posts
Hello,

Sorry for the delay. I ran the ad-aware in advance of asking whether you wanted it on the 15th. The infection was still there:

Logfile created: 2/15/2012 20:35:45
Ad-Aware version: 9.6.0
Extended engine: 3
Extended engine version: 3.1.2770
User performing scan: Administrator

*********************** Definitions database information ***********************
Lavasoft definition file: 150.723
Genotype definition file version: 2012/02/13 12:34:34
Extended engine definition file: 11548.0

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 152833
Objects detected: 1


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: d:\system volume information\_restore{704253ec-9b00-43a0-b650-856112df8601}\rp12\a0000851.exe Family Name: Win32.PUP.Bandoo[800] Engine: 1 Clean status: Success Item ID: 0 Family ID: 0 MD5: 76d4823d1f59389e3ec60df59a42802e

Scan and cleaning complete: Finished correctly after 56145 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\,D:\,E:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: N/A

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Wed Feb 15 12:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Wed Feb 15 18:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Wed Feb 15 00:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Wed Feb 15 06:08:00 2012
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Feb 15 12:08:00 2012
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: true
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: maintainbackup, enabled:1, value: true
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: true
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true


****************************** System information ******************************
Computer name: DAVID-D044439A7
Processor name: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Processor identifier: x86 Family 15 Model 104 Stepping 2
Processor speed: ~1895MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 26626, number of processors 2, processor features: [MMX,SSE,SSE2,3DNow]
Physical memory available: 573575168 bytes
Physical memory total: 2011095040 bytes
Virtual memory available: 1876090880 bytes
Virtual memory total: 2147352576 bytes
Memory load: 71%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 1280 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1340 name: C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1388 name: C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1432 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1444 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1612 name: C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1668 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1688 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1756 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2000 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 384 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 472 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 664 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 708 name: C:\Program Files\Avira\AntiVir Desktop\sched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 740 name: C:\Program Files\SUPERAntiSpyware\SASCORE.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\Program Files\Avira\AntiVir Desktop\avguard.exe owner: SYSTEM domain: NT AUTHORITY
PID: 784 name: C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 824 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1332 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1848 name: C:\WINDOWS\system32\STacSV.exe owner: SYSTEM domain: NT AUTHORITY
PID: 980 name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2104 name: C:\Program Files\Avira\AntiVir Desktop\avshadow.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2400 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2944 name: C:\WINDOWS\Explorer.EXE owner: Administrator domain: DAVID-D044439A7
PID: 3108 name: C:\Program Files\DellTPad\Apoint.exe owner: Administrator domain: DAVID-D044439A7
PID: 3124 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: Administrator domain: DAVID-D044439A7
PID: 3152 name: C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe owner: Administrator domain: DAVID-D044439A7
PID: 3336 name: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe owner: Administrator domain: DAVID-D044439A7
PID: 3508 name: C:\Program Files\I8kfanGUI\I8kfanGUI.exe owner: Administrator domain: DAVID-D044439A7
PID: 1300 name: C:\WINDOWS\system32\ctfmon.exe owner: Administrator domain: DAVID-D044439A7
PID: 3516 name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe owner: Administrator domain: DAVID-D044439A7
PID: 3420 name: C:\Program Files\DellTPad\ApMsgFwd.exe owner: Administrator domain: DAVID-D044439A7
PID: 3588 name: C:\Program Files\DellTPad\HidFind.exe owner: Administrator domain: DAVID-D044439A7
PID: 3576 name: C:\Program Files\DellTPad\Apntex.exe owner: Administrator domain: DAVID-D044439A7
PID: 3804 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 4040 name: C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe owner: Administrator domain: DAVID-D044439A7
PID: 3116 name: C:\Program Files\Opera\opera.exe owner: Administrator domain: DAVID-D044439A7
PID: 2812 name: C:\Program Files\iPod\bin\iPodService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5760 name: C:\program files\real\realplayer\update\realsched.exe owner: Administrator domain: DAVID-D044439A7
PID: 496 name: C:\Program Files\360\360se3\360se.exe owner: Administrator domain: DAVID-D044439A7
PID: 4512 name: C:\Program Files\360\360se3\SafeCentral\urlproc.exe owner: Administrator domain: DAVID-D044439A7
PID: 3280 name: C:\Program Files\360\360se3\360se.exe owner: Administrator domain: DAVID-D044439A7
PID: 5832 name: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE owner: Administrator domain: DAVID-D044439A7
PID: 4956 name: C:\Program Files\WordWeb\wweb32.exe owner: Administrator domain: DAVID-D044439A7
PID: 6136 name: C:\WINDOWS\system32\wuauclt.exe owner: Administrator domain: DAVID-D044439A7
PID: 4196 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1100 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2340 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2388 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Administrator domain: DAVID-D044439A7
PID: 5812 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Administrator domain: DAVID-D044439A7

Startup items:
Name: Apoint
imagepath: C:\Program Files\DellTPad\Apoint.exe
Name: KernelFaultCheck
imagepath: %systemroot%\system32\dumprep 0 -k
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\qttask.exe" -atboottime
Name: Google Pinyin 2 Autoupdater
imagepath: "C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe"
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Name: TkBellExe
imagepath: "C:\program files\real\realplayer\update\realsched.exe" -osboot
Name: avgnt
imagepath: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: !SASCORE
displayname: SAS Core Service
Name: AdvancedSystemCareService5
displayname: Advanced SystemCare Service 5
Name: ALG
displayname: Application Layer Gateway Service
Name: AntiVirSchedulerService
displayname: Avira Scheduler
Name: AntiVirService
displayname: Avira Realtime Protection
Name: Apple Mobile Device
displayname: Apple Mobile Device
Name: Ati HotKey Poller
displayname: Ati HotKey Poller
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Bonjour Service
displayname: Bonjour Service
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: FastUserSwitchingCompatibility
displayname: Fast User Switching Compatibility
Name: HidServ
displayname: HID Input Service
Name: iPod Service
displayname: iPod Service
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: STacSV
displayname: SigmaTel Audio Service
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: W32Time
displayname: Windows Time
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration
Name: YahooAUService
displayname: Yahoo! Updater
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
  • 0

#11
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Guess we need to do it manually then. Please follow This article and turn OFF System Restore. After that restart your system and turn ON your System Restore again. This should clear are Restore point on all your drives.

Scan one more time your system with ad-aware to verify that infection is gone.
  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,171 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured