Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

AVG keep coming out with tracking cookies serving-sys and trojan fakea

Started by winsomemy , Feb 29 2012 11:34 PM

This topic is locked

#1
winsomemy

Posted 29 February 2012 - 11:34 PM

Member

Member
29 posts

Hi

I am using window xp and AVG anti virus.

Recently avg keep coming out with below found.
-tracking cookies.serving-sys
-trojan horse fakealert.po
-tracking cookies.overture

and etc

My pc has been slowing down since then.. I have moved the finding to vault in AVG but it didnt solve the problem. I have also tried using spybot, ad-aware and running AVG in safemode. It didnt solve too.

Below is the OTL log.

Thanks for your help!

OTL logfile created on: 3/1/2012 1:03:06 PM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\winxp\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.09 Gb Total Physical Memory | 0.22 Gb Available Physical Memory | 19.67% Memory free
1.71 Gb Paging File | 0.86 Gb Available in Paging File | 50.66% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 8.46 Gb Free Space | 34.66% Space Free | Partition Type: NTFS
Drive D: | 12.85 Gb Total Space | 4.23 Gb Free Space | 32.92% Space Free | Partition Type: NTFS

Computer Name: HEMA | User Name: winxp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
PRC - [2012/02/15 07:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/10/18 09:05:28 | 002,042,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/22 09:19:25 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/22 09:19:24 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/22 09:19:18 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2008/04/14 08:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 08:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/01/19 12:33:38 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL
MOD - [2003/07/29 05:45:10 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBRPP5C.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

========== Driver Services (SafeList) ==========

DRV - [2009/10/20 18:47:46 | 000,113,280 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/10/12 15:21:54 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/09/10 14:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/08/22 09:19:25 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/22 09:19:24 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/05/12 08:48:55 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/04/14 02:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/03/10 13:32:46 | 000,076,560 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2004/08/04 06:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2001/08/17 22:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/04 16:13:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/22 16:17:34 | 000,000,000 | ---D | M]

[2010/03/22 13:51:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Extensions
[2010/10/07 11:46:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Firefox\Profiles\sbnokl62.default\extensions
[2012/02/29 11:54:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Gmail = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{379F3389-7EF6-4C5C-8C1A-D94EB280DC2C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\Windows\mspdb11.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/24 21:19:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\##Victor#E\Shell - "" = AutoRun
O33 - MountPoints2\##Victor#E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Victor#E\Shell\AutoRun\command - "" = Z:\Setup.EXE
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\Auto\command - "" = F:\RavMonE.exe e
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{589fc974-c29a-11de-884d-00115ba712e5}\Shell\AutoRun\command - "" = F:\PMB_P.exe
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\Auto\Command - "" = F:\IntelM
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL IntelM
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\Auto\command - "" = F:\RavMonE.exe e
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell - "" = AutoRun
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\Auto\command - "" = RavMonE.exe e
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\Auto\command - "" = G:\RavMonE.exe e
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/01 13:02:44 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/02/29 17:38:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\winxp\My Documents\Dropbox
[2012/02/29 17:35:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Start Menu\Programs\Dropbox
[2012/02/29 17:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/24 15:06:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/24 14:59:27 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2012/02/24 14:59:25 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2012/02/24 14:59:23 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2012/02/24 14:59:22 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2012/02/22 11:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\pic artwork
[2012/02/18 13:55:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\winxp\Recent
[2012/02/10 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2012/02/10 15:27:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/02/10 15:25:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Local Settings\Application Data\Temp
[2012/02/10 15:25:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2012/02/10 15:25:00 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/02/10 15:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Local Settings\Application Data\Google
[2012/02/06 11:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\customer contact details
[2012/02/04 10:58:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RENEE
[2012/02/03 17:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Scissor report
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/03/01 10:59:32 | 090,813,946 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2012/03/01 08:58:23 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/01 08:58:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/01 08:58:20 | 1173,938,176 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/29 17:38:14 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:42 | 000,677,607 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/24 15:06:57 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/24 15:06:57 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\Spybot - Search & Destroy.lnk
[2012/02/24 14:51:25 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/24 14:51:25 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/23 17:44:36 | 000,211,487 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:28 | 000,227,540 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/20 08:53:12 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/14 16:39:52 | 001,160,664 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf
[2012/02/13 10:54:38 | 000,268,913 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-13-2012 10;54;23AM.pdf
[2012/02/13 10:52:14 | 000,074,157 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\TT slip-philip.jpg
[2012/02/09 17:54:51 | 000,643,800 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-09-2012 05;54;39PM.pdf
[2012/02/06 12:45:55 | 000,639,092 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-06-2012 12;45;37PM.pdf
[2012/02/04 09:48:29 | 000,096,107 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\zoo-page 2.jpg
[2012/02/04 09:46:55 | 000,099,726 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\zoo.jpg
[2012/02/02 10:48:39 | 001,198,078 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-02-2012 10;48;16AM.pdf
[2012/02/01 09:52:06 | 000,431,098 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-01-2012 09;51;54AM.pdf
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/29 17:38:14 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:41 | 000,677,607 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/25 12:24:33 | 1173,938,176 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/24 15:06:57 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/24 15:06:57 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\Spybot - Search & Destroy.lnk
[2012/02/23 17:44:36 | 000,211,487 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:18 | 000,227,540 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/20 08:53:12 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/18 13:59:34 | 000,000,881 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Ad-Aware.lnk
[2012/02/18 13:59:05 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\SpybotSD.lnk
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 16:39:19 | 001,160,664 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf
[2012/02/13 10:54:38 | 000,268,913 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-13-2012 10;54;23AM.pdf
[2012/02/13 10:52:09 | 000,074,157 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\TT slip-philip.jpg
[2012/02/10 14:54:25 | 000,000,717 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\avgtray.lnk
[2012/02/10 14:52:31 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\ccleaner.lnk
[2012/02/09 17:54:51 | 000,643,800 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-09-2012 05;54;39PM.pdf
[2012/02/06 12:45:55 | 000,639,092 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-06-2012 12;45;37PM.pdf
[2012/02/04 09:49:10 | 000,099,726 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\zoo.jpg
[2012/02/04 09:49:10 | 000,096,107 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\zoo-page 2.jpg
[2012/02/02 10:48:38 | 001,198,078 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-02-2012 10;48;16AM.pdf
[2012/02/01 09:52:06 | 000,431,098 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-01-2012 09;51;54AM.pdf
[2010/03/22 13:51:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\winxp\Local Settings\Application Data\4Jp87e378L
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4Jp87e378L

========== LOP Check ==========

[2007/05/28 12:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Emjysoft
[2012/03/01 12:51:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/01 15:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Ludoofx
[2012/01/13 10:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Uvob

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2012/02/01 15:33:55 | 002,923,879 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2012/02/01 15:24:38 | 002,923,879 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2010/12/31 17:49:35 | 002,175,820 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg
[2010/12/31 17:33:51 | 002,175,820 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg

< End of report >

#2
Render

Posted 05 March 2012 - 05:07 PM

Trusted Helper

Malware Removal
4,195 posts

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
Please reply within 3 days to be fair to other people asking for help.
Please tell me if you have your original Windows CD/DVD available
When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

Please download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Note: If avast! antivirus is already installed, just do the next step.
Click the Scan button to start scan.
On completion of the scan click Save log, save it to your desktop and post in your next reply.
Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

#3
winsomemy

Posted 05 March 2012 - 10:41 PM

Member

Topic Starter
Member
29 posts

Hi Thanks for picking up this problem..

I do not have the original windows CD with me.

Here is the aswMBR save log
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-06 11:16:10
-----------------------------
11:16:10.734 OS Version: Windows 5.1.2600 Service Pack 3
11:16:10.734 Number of processors: 1 586 0x401
11:16:10.734 ComputerName: HEMA UserName:
11:16:11.765 Initialize success
11:25:03.937 AVAST engine defs: 12030501
11:25:55.796 The log file has been saved successfully to "C:\Documents and Settings\winxp\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-06 11:16:10
-----------------------------
11:16:10.734 OS Version: Windows 5.1.2600 Service Pack 3
11:16:10.734 Number of processors: 1 586 0x401
11:16:10.734 ComputerName: HEMA UserName:
11:16:11.765 Initialize success
11:25:03.937 AVAST engine defs: 12030501
11:25:55.796 The log file has been saved successfully to "C:\Documents and Settings\winxp\Desktop\aswMBR.txt"
11:31:24.218 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:31:24.234 Disk 0 Vendor: ST340014A 8.01 Size: 38166MB BusType: 3
11:31:24.250 Disk 0 MBR read successfully
11:31:24.250 Disk 0 MBR scan
11:31:24.281 Disk 0 Windows XP default MBR code
11:31:24.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 24999 MB offset 63
11:31:24.296 Disk 0 Partition - 00 0F Extended LBA 13154 MB offset 51199155
11:31:24.312 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13154 MB offset 51199218
11:31:24.328 Disk 0 scanning sectors +78140160
11:31:24.421 Disk 0 scanning C:\WINDOWS\system32\drivers
11:31:45.406 Service scanning
11:32:07.203 Modules scanning
11:32:21.718 Disk 0 trace - called modules:
11:32:21.968 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll viaide.sys PCIIDEX.SYS
11:32:21.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8837fab8]
11:32:22.000 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x883c9b00]
11:32:22.390 AVAST engine scan C:\WINDOWS
11:32:26.296 AVAST engine scan C:\WINDOWS\system32
11:35:28.171 AVAST engine scan C:\WINDOWS\system32\drivers
11:35:48.031 AVAST engine scan C:\Documents and Settings\winxp
12:11:32.765 AVAST engine scan C:\Documents and Settings\All Users
12:16:54.828 Scan finished successfully
12:38:14.046 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\winxp\Desktop\MBR.dat"
12:38:14.093 The log file has been saved successfully to "C:\Documents and Settings\winxp\Desktop\aswMBR.txt"

I have attached MBR.dat zip file.

Attached Files

MBR.zip 510bytes 107 downloads

#4
Render

Posted 06 March 2012 - 04:31 AM

Trusted Helper

Malware Removal
4,195 posts

We need to run an OTL Fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems.

Please double click on on your Desktop (If running Vista or Windows 7, right click on it and select "Run as an Administrator")

Under the Custom Scans/Fixes box copy and paste this in (Please carefully select all text in code box beginning with : ):

:OTL
O20 - AppInit_DLLs: (C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\Windows\mspdb11.dll) - File not found
O33 - MountPoints2\##Victor#E\Shell - "" = AutoRun
O33 - MountPoints2\##Victor#E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\##Victor#E\Shell\AutoRun\command - "" = Z:\Setup.EXE
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\Auto\command - "" = F:\RavMonE.exe e
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{589fc974-c29a-11de-884d-00115ba712e5}\Shell\AutoRun\command - "" = F:\PMB_P.exe
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\Auto\Command - "" = F:\IntelM
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL IntelM
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\Auto\command - "" = F:\RavMonE.exe e
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell - "" = AutoRun
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell - "" = AutoRun
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\Auto\command - "" = RavMonE.exe e
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\Auto\command - "" = G:\RavMonE.exe e
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e
[2012/02/01 15:33:55 | 002,923,879 | ---- | C] ()(C:\Documents and  Settings\winxp\Desktop\1015??.rar) -- C:\Documents and  Settings\winxp\Desktop\1015唛头.rar
[2012/02/01 15:24:38 | 002,923,879 | ---- | M] ()(C:\Documents and  Settings\winxp\Desktop\1015??.rar) -- C:\Documents and  Settings\winxp\Desktop\1015唛头.rar
[2010/12/31 17:49:35 | 002,175,820 | ---- | M] ()(C:\Documents and  Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg)  -- C:\Documents and  Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg
[2010/12/31 17:33:51 | 002,175,820 | ---- | C] ()(C:\Documents and  Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg)  -- C:\Documents and  Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg
  	
:Files
ipconfig /flushdns /c
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

:Reg

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYJAVA]
[emptyflash]
[createrestorepoint]
[reboot]

Make sure all other windows are closed and to let it run uninterrupted.
Click on button.
OTL may ask to reboot the machine. Please do so if asked.
Click on button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

#5
winsomemy

Posted 06 March 2012 - 09:52 PM

Member

Topic Starter
Member
29 posts

I have done the custom fix accordingly. Here is the log after rebooting

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\DOCUME~1\ALLUSE~1\APPLIC~1\MICROS~1\Windows\mspdb11.dll deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##Victor#E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##Victor#E\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##Victor#E\ not found.
File Z:\Setup.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ not found.
File F:\RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4d89af3c-ef4b-11dd-b902-00115ba712e5}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589fc974-c29a-11de-884d-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589fc974-c29a-11de-884d-00115ba712e5}\ not found.
File F:\PMB_P.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
File F:\IntelM not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{589fc977-c29a-11de-884d-00115ba712e5}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL IntelM not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6ebf3b9a-81c1-11e0-8a4a-00115ba712e5}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8f7f0bfc-8b2b-11e0-8a57-00115ba712e5}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ not found.
File F:\RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8189b90-e917-11dd-b8fe-00115ba712e5}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b00ff-81cb-11e0-8a4b-d82c64c6caae}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53b010a-81cb-11e0-8a4b-00115ba712e5}\ not found.
File F:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ not found.
File RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d3a49d4e-ee3d-11dc-b7c5-00115ba712e5}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f923adcb-f45d-11db-b685-00115ba712e5}\ not found.
File G:\RavMonE.exe e not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f923adcb-f45d-11db-b685-00115ba712e5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f923adcb-f45d-11db-b685-00115ba712e5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f923adcb-f45d-11db-b685-00115ba712e5}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e not found.
File C:\Documents and Settings\winxp\Desktop\1015唛头.rar not found.
File C:\Documents and Settings\winxp\Desktop\1015唛头.rar not found.
File C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg not found.
File C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\winxp\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\winxp\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\winxp\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\winxp\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\winxp\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\winxp\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\winxp\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\winxp\Desktop\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
C:\Documents and Settings\winxp\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\winxp\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 35883 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: winxp
->Temp folder emptied: 78981469 bytes
->Temporary Internet Files folder emptied: 83306541 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 43986929 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1194 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 8725 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 322 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 1874 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 197.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: winxp
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: winxp
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (68719476736)

OTL by OldTimer - Version 3.2.33.2 log created on 03072012_112429

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\winxp\Local Settings\Temp\~DFC02E.tmp not found!
File\Folder C:\Documents and Settings\winxp\Local Settings\Temp\~DFC041.tmp not found!
C:\Documents and Settings\winxp\Local Settings\Temporary Internet Files\Content.IE5\G93XF78R\page__pid__2127249[1].htm moved successfully.

Registry entries deleted on Reboot...

Here is the OTL quick scan log
OTL logfile created on: 3/7/2012 11:40:26 AM - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\winxp\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.09 Gb Total Physical Memory | 0.49 Gb Available Physical Memory | 44.98% Memory free
1.71 Gb Paging File | 1.18 Gb Available in Paging File | 68.90% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 8.69 Gb Free Space | 35.58% Space Free | Partition Type: NTFS
Drive D: | 12.85 Gb Total Space | 4.11 Gb Free Space | 32.00% Space Free | Partition Type: NTFS

Computer Name: HEMA | User Name: winxp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
PRC - [2012/02/15 07:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/10/18 09:05:28 | 002,042,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/22 09:19:25 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/22 09:19:24 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/22 09:19:18 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2008/04/14 08:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 08:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/01/19 12:33:38 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL
MOD - [2003/07/29 05:45:10 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBRPP5C.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

========== Driver Services (SafeList) ==========

DRV - [2009/10/20 18:47:46 | 000,113,280 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/10/12 15:21:54 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/09/10 14:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/08/22 09:19:25 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/22 09:19:24 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/05/12 08:48:55 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/04/14 02:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/03/10 13:32:46 | 000,076,560 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2004/08/04 06:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2001/08/17 22:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.my/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/04 16:13:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/22 16:17:34 | 000,000,000 | ---D | M]

[2010/03/22 13:51:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Extensions
[2010/10/07 11:46:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Firefox\Profiles\sbnokl62.default\extensions
[2012/03/03 12:19:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Gmail = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/07 11:24:41 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{379F3389-7EF6-4C5C-8C1A-D94EB280DC2C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/24 21:19:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/03/07 11:24:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/06 11:16:05 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\winxp\Desktop\aswMBR.exe
[2012/03/01 13:02:44 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/02/29 17:38:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\winxp\My Documents\Dropbox
[2012/02/29 17:35:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Start Menu\Programs\Dropbox
[2012/02/29 17:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/24 15:06:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/24 14:59:27 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2012/02/24 14:59:25 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2012/02/24 14:59:23 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2012/02/24 14:59:22 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2012/02/22 11:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\pic artwork
[2012/02/18 13:55:10 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\winxp\Recent
[2012/02/10 15:30:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2012/02/10 15:27:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2012/02/10 15:25:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Local Settings\Application Data\Temp
[2012/02/10 15:25:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2012/02/10 15:25:00 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/02/10 15:25:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Local Settings\Application Data\Google
[2012/02/06 11:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\customer contact details

========== Files - Modified Within 30 Days ==========

[2012/03/07 11:35:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/07 11:35:22 | 1173,938,176 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/07 11:24:41 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/03/07 09:15:29 | 091,017,978 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2012/03/07 08:50:26 | 000,248,174 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 08;49;10AM.pdf
[2012/03/07 08:32:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/06 12:40:48 | 000,000,510 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\MBR.zip
[2012/03/06 12:38:14 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\MBR.dat
[2012/03/06 11:57:40 | 000,511,576 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\39929-My Desktop Organiser-N.jpg
[2012/03/06 11:16:09 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\winxp\Desktop\aswMBR.exe
[2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/02/29 17:38:14 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:42 | 000,677,607 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/24 15:06:57 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/24 15:06:57 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\Spybot - Search & Destroy.lnk
[2012/02/24 14:51:25 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/24 14:51:25 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/23 17:44:36 | 000,211,487 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:28 | 000,227,540 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/20 08:53:12 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/14 16:39:52 | 001,160,664 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf
[2012/02/13 10:54:38 | 000,268,913 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-13-2012 10;54;23AM.pdf
[2012/02/13 10:52:14 | 000,074,157 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\TT slip-philip.jpg
[2012/02/09 17:54:51 | 000,643,800 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-09-2012 05;54;39PM.pdf
[2012/02/06 12:45:55 | 000,639,092 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-06-2012 12;45;37PM.pdf

========== Files Created - No Company Name ==========

[2012/03/07 08:50:26 | 000,248,174 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 08;49;10AM.pdf
[2012/03/06 12:40:48 | 000,000,510 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\MBR.zip
[2012/03/06 12:38:14 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\MBR.dat
[2012/03/06 11:57:00 | 000,511,576 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\39929-My Desktop Organiser-N.jpg
[2012/02/29 17:38:14 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:41 | 000,677,607 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/25 12:24:33 | 1173,938,176 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/24 15:06:57 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/24 15:06:57 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\Spybot - Search & Destroy.lnk
[2012/02/23 17:44:36 | 000,211,487 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:18 | 000,227,540 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/20 08:53:12 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/18 13:59:34 | 000,000,881 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Ad-Aware.lnk
[2012/02/18 13:59:05 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\SpybotSD.lnk
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 16:39:19 | 001,160,664 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf
[2012/02/13 10:54:38 | 000,268,913 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-13-2012 10;54;23AM.pdf
[2012/02/13 10:52:09 | 000,074,157 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\TT slip-philip.jpg
[2012/02/10 14:54:25 | 000,000,717 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\avgtray.lnk
[2012/02/10 14:52:31 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\ccleaner.lnk
[2012/02/09 17:54:51 | 000,643,800 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-09-2012 05;54;39PM.pdf
[2012/02/06 12:45:55 | 000,639,092 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-06-2012 12;45;37PM.pdf
[2010/03/22 13:51:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\winxp\Local Settings\Application Data\4Jp87e378L
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4Jp87e378L

========== LOP Check ==========

[2007/05/28 12:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Emjysoft
[2012/03/07 11:36:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/01 15:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Ludoofx
[2012/01/13 10:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Uvob

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2012/02/01 15:33:55 | 002,923,879 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2012/02/01 15:24:38 | 002,923,879 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2010/12/31 17:49:35 | 002,175,820 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg
[2010/12/31 17:33:51 | 002,175,820 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg

< End of report >

#6
Render

Posted 07 March 2012 - 07:30 AM

Trusted Helper

Malware Removal
4,195 posts

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here and double click on mbam-setup.exe to install the application

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Click on Check for Updates button.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

#7
winsomemy

Posted 07 March 2012 - 11:53 PM

Member

Topic Starter
Member
29 posts

Thanks again for the follow up..

i downloaded Malwarebytes' Anti Malware and have ran it...was not asked to restart...

Here is the log...

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.08.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
winxp :: HEMA [administrator]

3/8/2012 1:32:01 PM
mbam-log-2012-03-08 (13-32-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 182817
Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Documents and Settings\winxp\Local Settings\Application Data\mtg (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\winxp\Templates\mtg (Trojan.MultipleAV.Gen) -> Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)

#8
Render

Posted 08 March 2012 - 06:23 AM

Trusted Helper

Malware Removal
4,195 posts

We should proceed with general antimalware scan which can take quite a long time so please be patient.

Download Virus Removal Tool (VRT) from Here to your desktop
(You have to enter your e-mail address and click on Submit Form button. Please download latest English version of this tool)

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(Please be patient as this scan can take a few hours)
Posted Image

Allow VRT to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun VRT and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image

#9
winsomemy

Posted 09 March 2012 - 10:17 PM

Member

Topic Starter
Member
29 posts

I have installed VRT and do the scanning. The estimated completion time shown 7 hours so i let it run overnight but i forgot that i need to select an option to delete when there is an infection found...It was stuck at 17% with an infection. I put a check on apply same action of "delete" in all subsequent found this morning and let it continue running. It now say it might take 2 days time. i hope it will be shorter but i will post an report as soon as it complete. Sorry for such delay.....

#10
Render

Posted 10 March 2012 - 05:49 AM

Trusted Helper

Malware Removal
4,195 posts

OK.

#11
winsomemy

Posted 10 March 2012 - 11:13 PM

Member

Topic Starter
Member
29 posts

Hi..

Here is the VRT report

Status: Disinfected (events: 10)
3/10/2012 11:24:29 AM Disinfected Trojan program Trojan-Spy.Win32.Zbot.clks Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:Shipment Notification N-id: 268439330.60937400 1319194068][Time:2011/10/21 18:45:36]/346678532.zip High
3/10/2012 11:24:27 AM Disinfected Trojan program Trojan-Spy.Win32.Zbot.clks Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:Shipment Notification N-id: 268439330.60937400 1319194068][Time:2011/10/21 18:45:36]/346678532.zip/346678532.exe High
3/10/2012 11:24:27 AM Disinfected Trojan program Trojan-Spy.Win32.Zbot.clks Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:Shipment Notification N-id: 268439330.60937400 1319194068][Time:2011/10/21 18:45:36]/346678532.zip/346678532.exe//UPX High
3/10/2012 12:07:38 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.bson Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:DHL Delivery Notification Message 8M3399JS9CL0CUT9U][Time:2012/01/12 15:02:53]/DHL-International_Shipment_Notification_472253071-01052012.zip/DHL-International_Shipment_Notification_.exe//UPX//PE_Patch//PE_Patch High
3/10/2012 12:07:38 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.bson Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:DHL Delivery Notification Message 8M3399JS9CL0CUT9U][Time:2012/01/12 15:02:53]/DHL-International_Shipment_Notification_472253071-01052012.zip/DHL-International_Shipment_Notification_.exe//UPX//PE_Patch High
3/10/2012 12:07:38 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.bson Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:DHL Delivery Notification Message 8M3399JS9CL0CUT9U][Time:2012/01/12 15:02:53]/DHL-International_Shipment_Notification_472253071-01052012.zip/DHL-International_Shipment_Notification_.exe//UPX High
3/10/2012 12:07:38 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.bson Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:DHL Delivery Notification Message 8M3399JS9CL0CUT9U][Time:2012/01/12 15:02:53]/DHL-International_Shipment_Notification_472253071-01052012.zip/DHL-International_Shipment_Notification_.exe High
3/10/2012 12:07:40 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.bson Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:DHL Delivery Notification Message 8M3399JS9CL0CUT9U][Time:2012/01/12 15:02:53]/DHL-International_Shipment_Notification_472253071-01052012.zip High
3/10/2012 12:09:24 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.byyr Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:Re: DHL Parcel Tracking Notification 8568296976268216][Time:2012/01/18 15:42:07]/dhl-international-shipping-notification_06156012_IDUG38CCJ.zip/dhl-international-shipping-ID-notification.exe High
3/10/2012 12:09:25 PM Disinfected Trojan program Trojan-Dropper.Win32.Injector.byyr Main Identity\Local Folders\Sent Items\[From:"HEMA" <[email protected]>][Subject:Re: DHL Parcel Tracking Notification 8568296976268216][Time:2012/01/18 15:42:07]/dhl-international-shipping-notification_06156012_IDUG38CCJ.zip High
Status: Will be deleted when the computer is restarted (events: 7)
3/10/2012 1:16:08 PM Will be deleted when the computer is restarted Trojan program Packed.Win32.Katusha.j C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169022.exe High
3/10/2012 1:16:08 PM Will be deleted when the computer is restarted Trojan program Packed.Win32.Katusha.j C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169023.exe High
3/10/2012 1:16:09 PM Will be deleted when the computer is restarted Trojan program Packed.Win32.Katusha.j C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169024.exe High
3/10/2012 1:18:58 PM Will be deleted when the computer is restarted Trojan program Packed.Win32.Katusha.j C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169025.exe High
3/10/2012 1:19:01 PM Will be deleted when the computer is restarted Trojan program Trojan-Spy.Win32.Zbot.clks C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169028.exe//UPX High
3/10/2012 1:19:03 PM Will be deleted when the computer is restarted Trojan program Trojan-Dropper.Win32.Injector.bsve C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169029.exe High
3/10/2012 1:19:01 PM Will be deleted when the computer is restarted Trojan program Trojan-Spy.Win32.Zbot.clks C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1159\A0169028.exe High
Status: Deleted (events: 1)
3/10/2012 1:29:00 PM Deleted Trojan program Backdoor.Win32.Hupigon.cfeh C:\System Volume Information\_restore{E94477D1-BB3A-4D4D-BB88-1CCDC1599D35}\RP1175\A0172616.inf High

Attached is the zip file

Thanks..

Attached Files

avptool_sysinfo.zip 17.19KB 134 downloads

#12
Render

Posted 11 March 2012 - 07:27 AM

Trusted Helper

Malware Removal
4,195 posts

How is your computer running now? Any problems?

#13
winsomemy

Posted 13 March 2012 - 03:55 AM

Member

Topic Starter
Member
29 posts

There isnt any more trojan found message come out so far. There is no other sign of malware. I am not sure whether the malware has been totally cleaned off though.

#14
Render

Posted 13 March 2012 - 05:37 AM

Trusted Helper

Malware Removal
4,195 posts

OTL Custom Scan

Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Stadard output is selected.
Select Scan all users
Check the boxes beside LOP Check and Purity Check.

Under the Custom Scans/Fixes box copy and paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open OTL.Txt in Notepad window.
Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

#15
winsomemy

Posted 14 March 2012 - 04:53 AM

Member

Topic Starter
Member
29 posts

Here is the OTL log..

OTL logfile created on: 3/14/2012 6:36:26 PM - Run 3
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\winxp\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.09 Gb Total Physical Memory | 0.51 Gb Available Physical Memory | 46.38% Memory free
1.71 Gb Paging File | 1.17 Gb Available in Paging File | 68.62% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24.41 Gb Total Space | 8.40 Gb Free Space | 34.40% Space Free | Partition Type: NTFS
Drive D: | 12.85 Gb Total Space | 4.19 Gb Free Space | 32.60% Space Free | Partition Type: NTFS

Computer Name: HEMA | User Name: winxp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
PRC - [2012/02/15 07:03:14 | 024,246,216 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/10/18 09:05:28 | 002,042,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/22 09:19:25 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/22 09:19:24 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/22 09:19:18 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 04:27:03 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2008/04/14 08:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 08:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/01/19 12:33:38 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXCZPP5C.DLL
MOD - [2003/07/29 05:45:10 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LXBRPP5C.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/08/22 09:19:11 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/22 09:19:08 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

========== Driver Services (SafeList) ==========

DRV - [2009/10/20 18:47:46 | 000,113,280 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2009/10/12 15:21:54 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/09/10 14:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/08/22 09:19:25 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/22 09:19:24 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/05/12 08:48:55 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/04/14 02:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/03/10 13:32:46 | 000,076,560 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2004/08/04 06:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
DRV - [2001/08/17 22:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1547161642-1284227242-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.my/
IE - HKU\S-1-5-21-1547161642-1284227242-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/04 16:13:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.25\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/12/22 16:17:34 | 000,000,000 | ---D | M]

[2010/03/22 13:51:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Extensions
[2010/10/07 11:46:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\winxp\Application Data\Mozilla\Firefox\Profiles\sbnokl62.default\extensions
[2012/03/09 16:07:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/03 05:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Gmail = C:\Documents and Settings\winxp\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/03/07 11:24:41 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1547161642-1284227242-725345543-1004..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\winxp\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-1284227242-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1547161642-1284227242-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{379F3389-7EF6-4C5C-8C1A-D94EB280DC2C}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/24 21:19:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1547161642-1284227242-725345543-1004\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/13 16:30:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\syts u photo
[2012/03/13 16:28:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\New Folder (3)
[2012/03/13 15:55:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\RENEE DOC-13 MAR
[2012/03/12 12:20:43 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\winxp\Recent
[2012/03/08 13:29:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/08 13:29:41 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/07 11:24:29 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/03/06 11:16:05 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Documents and Settings\winxp\Desktop\aswMBR.exe
[2012/03/01 13:02:44 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/02/29 17:38:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\winxp\My Documents\Dropbox
[2012/02/29 17:35:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Start Menu\Programs\Dropbox
[2012/02/29 17:34:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/24 15:06:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/24 14:59:27 | 000,000,000 | ---D | C] -- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
[2012/02/24 14:59:25 | 000,000,000 | ---D | C] -- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
[2012/02/24 14:59:23 | 000,000,000 | ---D | C] -- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
[2012/02/24 14:59:22 | 000,000,000 | ---D | C] -- C:\Program Files\SDHelper (Spybot - Search & Destroy)
[2012/02/22 11:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\winxp\My Documents\pic artwork

========== Files - Modified Within 30 Days ==========

[2012/03/14 17:32:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/14 17:32:13 | 1173,938,176 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/14 17:32:13 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/14 12:55:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/14 12:28:15 | 001,381,592 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\03-14-2012 12;28;06PM.pdf
[2012/03/14 09:05:51 | 078,304,535 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2012/03/13 15:24:59 | 000,746,334 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\2063 - BL (PG 1).pdf
[2012/03/11 13:17:31 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/11 13:05:05 | 000,017,607 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\avptool_sysinfo.zip
[2012/03/10 13:29:00 | 000,002,752 | -HS- | M] () -- C:\WINDOWS\0926399drv.spi
[2012/03/09 14:05:59 | 123,437,576 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\setup_11.0.0.1245.x01_2012_03_09_07_09.exe
[2012/03/08 13:29:45 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/07 17:15:41 | 001,238,414 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 05;15;21PM.pdf
[2012/03/07 11:24:41 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/03/07 08:50:26 | 000,248,174 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 08;49;10AM.pdf
[2012/03/06 12:40:48 | 000,000,510 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\MBR.zip
[2012/03/06 12:38:14 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\MBR.dat
[2012/03/06 11:57:40 | 000,511,576 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\39929-My Desktop Organiser-N.jpg
[2012/03/06 11:16:09 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Documents and Settings\winxp\Desktop\aswMBR.exe
[2012/03/01 13:03:02 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\winxp\Desktop\OTL.exe
[2012/02/29 17:38:14 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | M] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:42 | 000,677,607 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/24 15:06:57 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/24 14:51:25 | 000,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/24 14:51:25 | 000,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/23 17:44:36 | 000,211,487 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:28 | 000,227,540 | ---- | M] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/14 16:39:52 | 001,160,664 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf

========== Files Created - No Company Name ==========

[2012/03/14 12:54:51 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/03/14 12:28:15 | 001,381,592 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\03-14-2012 12;28;06PM.pdf
[2012/03/13 15:24:39 | 000,746,334 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\2063 - BL (PG 1).pdf
[2012/03/13 08:02:08 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/11 13:06:41 | 000,017,607 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\avptool_sysinfo.zip
[2012/03/10 13:16:06 | 000,002,752 | -HS- | C] () -- C:\WINDOWS\0926399drv.spi
[2012/03/09 13:48:50 | 123,437,576 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\setup_11.0.0.1245.x01_2012_03_09_07_09.exe
[2012/03/08 13:29:45 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/07 17:15:41 | 001,238,414 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 05;15;21PM.pdf
[2012/03/07 08:50:26 | 000,248,174 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\03-07-2012 08;49;10AM.pdf
[2012/03/06 12:40:48 | 000,000,510 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\MBR.zip
[2012/03/06 12:38:14 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\MBR.dat
[2012/03/06 11:57:00 | 000,511,576 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\39929-My Desktop Organiser-N.jpg
[2012/02/29 17:38:14 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Desktop\Dropbox.lnk
[2012/02/29 17:35:44 | 000,000,994 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Startup\Dropbox.lnk
[2012/02/29 12:15:26 | 001,918,745 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\1655796-ciseaux.pdf
[2012/02/27 15:36:22 | 000,244,668 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 03;36;09PM.pdf
[2012/02/27 10:30:57 | 000,253,359 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;30;04AM.pdf
[2012/02/27 10:16:41 | 000,677,607 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-27-2012 10;16;18AM.pdf
[2012/02/25 12:24:33 | 1173,938,176 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/24 15:06:57 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\winxp\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/23 17:44:36 | 000,211,487 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-23-2012 05;44;22PM.pdf
[2012/02/23 16:49:18 | 000,227,540 | ---- | C] () -- C:\Documents and Settings\winxp\My Documents\IMG_23022012_094907.png
[2012/02/20 11:50:58 | 000,481,483 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;50;35AM.pdf
[2012/02/20 11:44:34 | 000,507,750 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-20-2012 11;44;14AM.pdf
[2012/02/18 13:59:34 | 000,000,881 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\Ad-Aware.lnk
[2012/02/18 13:59:05 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\winxp\Start Menu\Programs\SpybotSD.lnk
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/15 12:35:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/14 16:39:19 | 001,160,664 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\P1010014.JPG
[2012/02/14 12:47:36 | 000,829,033 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\02-14-2012 12;47;07PM.pdf
[2010/03/22 13:51:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\winxp\Local Settings\Application Data\4Jp87e378L
[2010/03/22 08:48:01 | 000,012,028 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\4Jp87e378L

========== LOP Check ==========

[2007/05/28 12:00:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Emjysoft
[2012/03/14 17:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Dropbox
[2012/02/01 15:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Ludoofx
[2012/01/13 10:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\winxp\Application Data\Uvob

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 19:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 18:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 08:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 08:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004/08/04 20:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 20:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/14 08:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 08:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 20:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/14 08:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 08:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/12/22 16:17:33 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/12/22 16:17:31 | 000,912,856 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 20:22:03 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

========== Files - Unicode (All) ==========
[2012/02/01 15:33:55 | 002,923,879 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2012/02/01 15:24:38 | 002,923,879 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\1015??.rar) -- C:\Documents and Settings\winxp\Desktop\1015唛头.rar
[2010/12/31 17:49:35 | 002,175,820 | ---- | M] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg
[2010/12/31 17:33:51 | 002,175,820 | ---- | C] ()(C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_????12-31.jpg) -- C:\Documents and Settings\winxp\Desktop\88131-NEWArt-tray&adaptor (OP)_复制副本12-31.jpg

< End of report >