Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Csrss.exe trojan please help ASAP (Firefox crashed/ didnt restore wind


  • This topic is locked This topic is locked

#1
flakeup

flakeup

    New Member

  • Member
  • Pip
  • 9 posts
Microsoft confirmed I have the virus when they check command prompt, csrss.exe (which sends email PWs or unecessary ones and downloadhelp.exe. It already shut down security tasks, and kaspersky didn't catch it, maybe cause malware bytes was installed too?

Please help with the removal! He said if I reboot I may get the blue screen which can make it worse. What should I do??

Thanks

Using Windows XP

LOG:

DDS FILE:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Os at 17:10:28 on 2012-04-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.378 [GMT -4:00]
.
AV: Kaspersky Internet Security *Enabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Os\LOCALS~1\Temp\TeamViewer\Version7\TeamViewer.exe
C:\DOCUME~1\Os\LOCALS~1\Temp\TeamViewer\Version7\tv_w32.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_Plugin.exe -update plugin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [jswtrayutil] "c:\program files\netgear\wna1100\jswtrayutil.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\os\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna1100\WNA1100.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} - hxxps://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262676841203
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262676836453
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{37F52497-B5D4-4FFF-8FA0-43DE8A52246C} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\os\application data\mozilla\firefox\profiles\3qc9ow07.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
.txt=Word Reader-TXT
.
=============== Created Last 30 ================
.
2012-04-19 20:10:05 -------- d-----w- c:\documents and settings\os\application data\TeamViewer
2012-04-03 0548 -------- d-----w- C:\HakkasanApr2
2012-03-30 21:20:14 -------- d-----w- C:\kaspseria
2012-03-29 16:42:22 -------- d-----w- c:\program files\iPod
2012-03-29 16:42:16 -------- d-----w- c:\program files\iTunes
2012-03-29 16:22:10 -------- d-----w- C:\simon
2012-03-22 20:50:49 -------- d-----w- c:\program files\HitmanPro
2012-03-22 20:44:36 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
.
==================== Find3M ====================
.
2012-03-03 05:20:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-02-01 00:47:24 709968 ----a-w- c:\windows\isRS-000.tmp
2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
============= FINISH: 17:15:28.49 ===============


................and HIJACKTHIS log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:28:25 PM, on 4/19/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Os\LOCALS~1\Temp\TeamViewer\Version7\TeamViewer.exe
C:\DOCUME~1\Os\LOCALS~1\Temp\TeamViewer\Version7\tv_w32.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: NETGEAR WNA1100 Smart Wizard.lnk = ?
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - https://install.home...ive/HS_live.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1262676841203
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1262676836453
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell....lSystemLite.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: avgrsstarter - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: WSWNA1100 - Unknown owner - C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe

--
End of file - 9856 bytes

Edited by flakeup, 19 April 2012 - 03:28 PM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you run these two analysis programmes for me please - neither requires a reboot. What are your symptoms ?

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
flakeup

flakeup

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
What should I do from here??
(I see an infect on the Asw log)
Thanks


OTL logfile created on: 4/19/2012 6:04:32 PM - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Os\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.33 Gb Available Physical Memory | 16.34% Memory free
3.83 Gb Paging File | 1.64 Gb Available in Paging File | 42.84% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 68.73 Gb Free Space | 46.14% Space Free | Partition Type: NTFS

Computer Name: D9BH4YF1 | User Name: Os | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/19 17:59:18 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Os\Desktop\OTL.exe
PRC - [2012/03/18 14:57:29 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/02/15 11:32:12 | 000,055,144 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
PRC - [2010/04/12 18:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2009/12/10 12:13:56 | 004,562,944 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
PRC - [2009/11/27 13:04:44 | 000,278,528 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
PRC - [2009/02/20 14:23:26 | 000,495,700 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/10/20 00:54:44 | 000,185,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/18 14:57:28 | 001,969,080 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/01/31 19:55:56 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/06/19 17:22:42 | 000,016,832 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
MOD - [2010/04/12 18:46:46 | 000,095,528 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2010/04/12 18:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2009/12/10 12:13:56 | 004,562,944 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
MOD - [2009/11/27 13:04:44 | 000,278,528 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
MOD - [2009/11/20 15:22:28 | 000,212,992 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiLib.dll
MOD - [2009/08/28 17:50:18 | 000,282,624 | ---- | M] () -- C:\Program Files\NETGEAR\WNA1100\WifiSvcLib.dll
MOD - [2009/02/27 12:52:56 | 000,258,048 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\sqlite.dll
MOD - [2008/09/16 21:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/04/14 08:00:00 | 000,498,742 | ---- | M] () -- C:\WINDOWS\system32\dxmasf.dll
MOD - [2008/04/14 08:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:59 | 000,376,832 | ---- | M] () -- C:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/01/13 15:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/11/02 22:06:06 | 000,365,336 | ---- | M] (Kaspersky Lab ZAO) [Auto | Stopped] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe -- (AVP)
SRV - [2009/11/27 13:04:44 | 000,278,528 | ---- | M] () [Auto | Running] -- C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe -- (WSWNA1100)
SRV - [2009/11/05 17:08:36 | 000,360,529 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WNA1100\jswpsapi.exe -- (jswpsapi)
SRV - [2009/02/20 14:23:26 | 000,495,700 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2009/01/07 19:21:00 | 000,026,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc)
SRV - [2007/07/26 19:03:46 | 000,358,936 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/06/20 14:30:18 | 000,079,168 | ---- | M] (Broadcom Corporation) [Disabled | Stopped] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Disabled | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\WG311v3XP.sys -- (W8335XP) NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Drivers\PROCEXP151.SYS -- (PROCEXP151)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\Os\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- -- (cerc6)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Os\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2011/08/09 17:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2011/07/15 22:40:16 | 000,475,736 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2010/06/09 16:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 16:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (KL1)
DRV - [2010/05/07 11:06:26 | 000,032,856 | ---- | M] (Kaspersky Lab ZAO) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2009/11/25 13:21:00 | 001,710,944 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)
DRV - [2009/11/02 19:27:24 | 000,019,472 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/01/30 18:13:20 | 000,058,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2008/09/25 19:07:00 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/04/14 08:00:00 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2007/07/25 21:55:36 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/04/17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2006/11/29 01:46:24 | 000,028,224 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\APLMp50.sys -- (APLMp50)
DRV - [2006/03/17 19:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [1999/09/10 12:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\Aspi32.sys -- (ASPI32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080325
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080325
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.2
FF - prefs.js..extensions.enabledItems: [email protected]:1.01
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:9.0.0.736
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.6.9.3
FF - prefs.js..extensions.enabledItems: {84417002-6445-49b4-9fd7-1ef48240fa41}:1.0.6
FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.3
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.69: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.69: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\Program Files\AVG\AVG8\ToolbarFF
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected] [2011/07/15 22:55:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected] [2011/07/15 22:55:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/18 14:57:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/12 18:21:44 | 000,000,000 | ---D | M]

[2008/08/28 15:30:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Os\Application Data\Mozilla\Extensions
[2012/03/29 16:53:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions
[2009/08/02 01:49:13 | 000,000,000 | ---D | M] (Tab History) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\{84417002-6445-49b4-9fd7-1ef48240fa41}
[2012/03/29 16:53:19 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/03/03 02:26:47 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/01/11 01:35:54 | 000,000,000 | ---D | M] (User Agent Switcher) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
[2010/01/17 17:43:04 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\[email protected]
[2009/07/04 00:03:55 | 000,000,000 | ---D | M] (Tab buttons) -- C:\Documents and Settings\Os\Application Data\Mozilla\Firefox\Profiles\3qc9ow07.default\extensions\[email protected]
[2012/02/18 18:15:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/15 22:42:32 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]_bak
[2012/03/18 14:57:30 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/08/31 15:55:51 | 000,442,368 | ---- | M] (Invenda Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol308.dll
[2011/11/10 06:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/18 18:14:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/18 18:14:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========


O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [jswtrayutil] "C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe" File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\system32\tscupgrd.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil11e_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA1100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA1100\WNA1100.exe ()
O4 - Startup: C:\Documents and Settings\Os\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-200287221-3165070041-3785318082-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\mswsock.dll File not found
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} https://install.home...ive/HS_live.cab (HS_live Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1262676841203 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1262676836453 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell....lSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{37F52497-B5D4-4FFF-8FA0-43DE8A52246C}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\kloehk.dll (Kaspersky Lab ZAO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O20 - Winlogon\Notify\klogon: DllName - (C:\WINDOWS\system32\klogon.dll) - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab ZAO)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (猀瀀爀攀猀琀爀琀)
O34 - HKLM BootExecute: (猀瀀爀攀猀琀爀琀)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: net1nsta - (C:\WINDOWS\system32\cmdlreg.dll) - File not found
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/19 17:59:18 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Os\Desktop\OTL.exe
[2012/04/19 17:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Os\Start Menu\Programs\HiJackThis
[2012/04/19 17:09:08 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Os\Desktop\dds.scr
[2012/04/19 17:08:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Os\Start Menu\Programs\Administrative Tools
[2012/04/19 16:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Os\Application Data\TeamViewer
[2012/04/03 01:06:48 | 000,000,000 | ---D | C] -- C:\HakkasanApr2
[2012/03/30 17:20:14 | 000,000,000 | ---D | C] -- C:\kaspseria
[2012/03/29 12:43:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/03/29 12:42:22 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/03/29 12:42:16 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/03/29 12:22:10 | 000,000,000 | ---D | C] -- C:\simon
[2012/03/22 16:50:49 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2012/03/22 16:44:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/19 17:59:18 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Os\Desktop\OTL.exe
[2012/04/19 17:27:51 | 000,001,978 | ---- | M] () -- C:\Documents and Settings\Os\Desktop\HiJackThis.lnk
[2012/04/19 17:06:47 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Os\Desktop\dds.scr
[2012/04/19 16:27:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/16 13:36:14 | 000,127,493 | ---- | M] () -- C:\apr21-22-green2.jpg
[2012/04/16 13:35:33 | 000,127,493 | ---- | M] () -- C:\apr21-22-greentwo.jpg
[2012/04/16 13:34:01 | 000,138,851 | ---- | M] () -- C:\apr21-22-green1.jpg
[2012/04/14 12:08:16 | 000,127,713 | ---- | M] () -- C:\Apr14-15-Kochcomic.jpg
[2012/04/14 12:05:28 | 000,131,961 | ---- | M] () -- C:\apr20-Resonance.jpg
[2012/04/14 11:45:22 | 000,092,303 | ---- | M] () -- C:\apr14-bar.jpg
[2012/04/13 10:42:20 | 000,092,793 | ---- | M] () -- C:\apr14-seams.jpg
[2012/04/12 18:45:43 | 000,073,793 | ---- | M] () -- C:\larrycard2.jpg
[2012/04/12 17:36:33 | 000,088,668 | ---- | M] () -- C:\Apr15-openh.jpg
[2012/04/12 17:36:06 | 000,130,445 | ---- | M] () -- C:\Apr15.png
[2012/04/12 17:32:29 | 000,105,997 | ---- | M] () -- C:\Apr14-chimp1.jpg
[2012/04/12 17:23:11 | 000,121,705 | ---- | M] () -- C:\Apr14-carshowNJ.jpg
[2012/04/11 10:32:25 | 000,072,501 | ---- | M] () -- C:\apr16-turk.jpg
[2012/04/10 22:30:17 | 000,093,887 | ---- | M] () -- C:\Apr11-sherrywines.jpg
[2012/04/10 22:30:07 | 000,077,000 | ---- | M] () -- C:\Apr11-sherrywines2.jpg
[2012/04/10 15:51:38 | 001,409,473 | ---- | M] () -- C:\Documents and Settings\Os\Desktop\Origamizer043.zip
[2012/04/10 15:31:14 | 000,136,947 | ---- | M] () -- C:\Apr11-cabin.jpg
[2012/04/09 18:54:06 | 000,216,060 | ---- | M] () -- C:\Apr8-ronwoodgallery2.sJPG
[2012/04/09 18:53:56 | 000,300,643 | ---- | M] () -- C:\Apr8-ronwoodgallery.sJPG
[2012/04/08 18:21:02 | 000,112,255 | ---- | M] () -- C:\Apr12-Metamorph.jpg
[2012/04/08 18:09:59 | 000,036,117 | ---- | M] () -- C:\Apr14-ShirHash.jpg
[2012/04/08 18:09:41 | 000,036,117 | ---- | M] () -- C:\Shir-Hashirim.jpg
[2012/04/08 02:50:34 | 000,035,189 | ---- | M] () -- C:\Bsmith-coupon2011.jpg
[2012/04/07 18:17:33 | 000,272,021 | ---- | M] () -- C:\mar14-havana.jpg
[2012/04/07 13:49:53 | 000,085,541 | ---- | M] () -- C:\Apr13-Sohofest.jpg
[2012/04/06 19:30:20 | 000,161,310 | ---- | M] () -- C:\May8-storyville.jpg
[2012/04/06 19:28:31 | 000,070,938 | ---- | M] () -- C:\Apr12-Alessi.jpg
[2012/04/06 19:02:14 | 000,095,469 | ---- | M] () -- C:\Apr22-bronxhealth.jpg
[2012/04/06 18:59:28 | 000,033,568 | ---- | M] () -- C:\Apr17-cinnabon.jpg
[2012/04/06 18:49:26 | 000,086,715 | ---- | M] () -- C:\apr7-milk.jpg
[2012/04/06 00:06:55 | 000,042,151 | ---- | M] () -- C:\Guessprev.jpg
[2012/04/05 18:43:52 | 000,086,514 | ---- | M] () -- C:\apr12-carnival.jpg
[2012/04/05 18:03:32 | 000,058,127 | ---- | M] () -- C:\apr5-politics.jpg
[2012/04/05 18:00:08 | 000,187,471 | ---- | M] () -- C:\apr5-rica2.png
[2012/04/05 17:59:52 | 000,606,565 | ---- | M] () -- C:\apr5-rica.png
[2012/04/05 15:01:15 | 000,070,833 | ---- | M] () -- C:\Apr5-sluteverparty-westway.jpg
[2012/04/05 14:05:34 | 000,164,911 | ---- | M] () -- C:\apr14-chimpw.jpg
[2012/04/05 14:02:34 | 000,264,396 | ---- | M] () -- C:\apr14-chimp.jpg
[2012/04/05 13:57:22 | 000,096,211 | ---- | M] () -- C:\apr5-hennesy.jpg
[2012/04/05 13:30:22 | 000,192,333 | ---- | M] () -- C:\apr5-korean.jpg
[2012/04/05 11:00:12 | 000,056,964 | ---- | M] () -- C:\Apr7-Women.jpg
[2012/04/04 17:10:21 | 000,082,524 | ---- | M] () -- C:\Apr4-mlbfancave.jpg
[2012/04/04 10:24:57 | 000,116,432 | ---- | M] () -- C:\Zagatcard.jpg
[2012/04/03 14:49:06 | 000,059,372 | ---- | M] () -- C:\Apr4-reunion.jpg
[2012/04/03 14:40:02 | 000,047,633 | ---- | M] () -- C:\simonpp4.jpg
[2012/04/03 01:00:04 | 000,134,463 | ---- | M] () -- C:\Hakasan.jpg
[2012/04/02 17:35:51 | 000,125,018 | ---- | M] () -- C:\Apr4-politics.jpg
[2012/04/02 17:35:17 | 000,113,338 | ---- | M] () -- C:\Apr4-buffet.jpg
[2012/04/02 17:13:17 | 000,073,019 | ---- | M] () -- C:\apr2-realpranna.jpg
[2012/04/02 01:32:46 | 000,071,027 | ---- | M] () -- C:\Apr-adweek.jpg
[2012/04/01 19:30:13 | 000,042,493 | ---- | M] () -- C:\Apr26-gallery.jpg
[2012/04/01 18:19:16 | 000,080,715 | ---- | M] () -- C:\Apr4-Areunion.jpg
[2012/04/01 18:07:33 | 000,127,806 | ---- | M] () -- C:\2012Bway-prev.jpg
[2012/04/01 18:04:19 | 000,049,489 | ---- | M] () -- C:\Apr6-15-Autoshow.jpg
[2012/04/01 14:25:01 | 000,110,540 | ---- | M] () -- C:\Apr7-Hippop2.jpg
[2012/04/01 14:24:59 | 000,109,724 | ---- | M] () -- C:\Apr7-Hippop1.jpg
[2012/04/01 14:22:59 | 000,117,805 | ---- | M] () -- C:\Hippop2.jpg
[2012/04/01 14:20:24 | 000,123,914 | ---- | M] () -- C:\Apr4-brooklynbohem.jpg
[2012/04/01 14:11:45 | 000,093,824 | ---- | M] () -- C:\Apr14-Escapetravel.jpg
[2012/04/01 14:01:21 | 000,066,299 | ---- | M] () -- C:\Apr13-15-AVaudio.jpg
[2012/04/01 13:40:50 | 000,093,590 | ---- | M] () -- C:\Apr10-PizzaAC2.jpg
[2012/04/01 13:37:55 | 000,093,749 | ---- | M] () -- C:\Apr10-PizzaAC1.jpg
[2012/04/01 13:19:39 | 000,082,706 | ---- | M] () -- C:\Apr1-HermeexpoAC.jpg
[2012/03/31 02:26:51 | 000,023,265 | ---- | M] () -- C:\may11-2012-carbon.jpg
[2012/03/30 00:54:09 | 000,053,394 | ---- | M] () -- C:\mar30-Pinkolive.jpg
[2012/03/29 16:49:26 | 000,064,634 | ---- | M] () -- C:\mar29-coloroutside.jpg
[2012/03/29 16:39:39 | 000,036,968 | ---- | M] () -- C:\Apr5-johnlastcall.jpg
[2012/03/29 16:39:08 | 000,059,903 | ---- | M] () -- C:\mar5-johnlastcall.gif
[2012/03/29 14:57:34 | 000,050,508 | ---- | M] () -- C:\apr19-bootcamp.jpg
[2012/03/29 14:56:43 | 000,030,935 | ---- | M] () -- C:\Apr19-wedding.jpg
[2012/03/29 14:27:15 | 000,149,321 | ---- | M] () -- C:\mar29-carisa.jpg
[2012/03/29 14:06:59 | 000,076,871 | ---- | M] () -- C:\Apr5-lexus-.jpg
[2012/03/29 14:01:30 | 000,031,281 | ---- | M] () -- C:\Apr8-Sword.jpg
[2012/03/29 13:54:21 | 000,052,669 | ---- | M] () -- C:\Apr2-Fooddrink.jpg
[2012/03/29 13:29:33 | 000,034,802 | ---- | M] () -- C:\Mar31-Apr1.jpg
[2012/03/29 13:22:14 | 000,047,131 | ---- | M] () -- C:\Mar-Apr-Flyer.jpg
[2012/03/29 13:18:04 | 000,086,979 | ---- | M] () -- C:\mar29-BAM.jpg
[2012/03/29 12:43:54 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/29 12:27:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/29 01:05:43 | 000,244,701 | ---- | M] () -- C:\apr5-lexus.JPG
[2012/03/29 01:05:25 | 000,244,701 | ---- | M] () -- C:\Documents and Settings\Os\Desktop\apr5-lexus.JPG
[2012/03/29 01:04:24 | 000,388,344 | ---- | M] () -- C:\Documents and Settings\Os\Desktop\3909lexus.png
[2012/03/28 19:03:14 | 000,388,344 | ---- | M] () -- C:\Mar5-lexus.jpg
[2012/03/27 16:39:38 | 000,201,599 | ---- | M] () -- C:\mar29-peryotel.jpg
[2012/03/27 16:19:05 | 000,077,525 | ---- | M] () -- C:\mar27-ital.jpg
[2012/03/27 15:59:17 | 000,163,322 | ---- | M] () -- C:\Page1-.jpg
[2012/03/27 15:59:10 | 000,167,083 | ---- | M] () -- C:\Page2-.jpg
[2012/03/27 01:37:49 | 000,077,275 | ---- | M] () -- C:\Mar27-Calimedia.jpg
[2012/03/26 19:15:46 | 000,022,748 | ---- | M] () -- C:\Mar28-newbalance.jpg
[2012/03/25 23:57:26 | 000,049,631 | ---- | M] () -- C:\mar27-postal.jpg
[2012/03/25 23:37:12 | 000,077,680 | ---- | M] () -- C:\Mar28-NYMagwed.jpg
[2012/03/25 23:27:10 | 000,054,248 | ---- | M] () -- C:\Mar28-Jazzmixer.jpg
[2012/03/25 23:15:27 | 000,038,837 | ---- | M] () -- C:\beard-4.jpg
[2012/03/25 23:10:40 | 000,041,679 | ---- | M] () -- C:\beard-3.jpg
[2012/03/25 23:09:05 | 000,025,000 | ---- | M] () -- C:\beard-2.jpg
[2012/03/25 23:06:13 | 000,071,218 | ---- | M] () -- C:\Beard-1.jpg
[2012/03/23 23:18:26 | 000,117,150 | ---- | M] () -- C:\Mar29-31-opengall.jpg
[2012/03/22 12:58:38 | 000,121,605 | ---- | M] () -- C:\mar28-denim.jpg
[2012/03/22 12:52:49 | 000,052,421 | ---- | M] () -- C:\Mar22-zen.jpg
[2012/03/22 01:12:57 | 000,022,848 | ---- | M] () -- C:\o-fpot.jpg
[2012/03/22 00:53:23 | 000,057,073 | ---- | M] () -- C:\mar23-alibi.jpg
[2012/03/21 17:04:55 | 000,157,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/16 13:36:13 | 000,127,493 | ---- | C] () -- C:\apr21-22-green2.jpg
[2012/04/16 13:34:07 | 000,127,493 | ---- | C] () -- C:\apr21-22-greentwo.jpg
[2012/04/16 13:34:00 | 000,138,851 | ---- | C] () -- C:\apr21-22-green1.jpg
[2012/04/14 12:08:15 | 000,127,713 | ---- | C] () -- C:\Apr14-15-Kochcomic.jpg
[2012/04/14 12:05:27 | 000,131,961 | ---- | C] () -- C:\apr20-Resonance.jpg
[2012/04/14 11:45:18 | 000,092,303 | ---- | C] () -- C:\apr14-bar.jpg
[2012/04/13 10:42:19 | 000,092,793 | ---- | C] () -- C:\apr14-seams.jpg
[2012/04/12 18:45:42 | 000,073,793 | ---- | C] () -- C:\larrycard2.jpg
[2012/04/12 17:36:32 | 000,088,668 | ---- | C] () -- C:\Apr15-openh.jpg
[2012/04/12 17:36:06 | 000,130,445 | ---- | C] () -- C:\Apr15.png
[2012/04/12 17:32:28 | 000,105,997 | ---- | C] () -- C:\Apr14-chimp1.jpg
[2012/04/12 17:23:09 | 000,121,705 | ---- | C] () -- C:\Apr14-carshowNJ.jpg
[2012/04/11 10:32:25 | 000,072,501 | ---- | C] () -- C:\apr16-turk.jpg
[2012/04/10 22:26:54 | 000,077,000 | ---- | C] () -- C:\Apr11-sherrywines2.jpg
[2012/04/10 22:26:14 | 000,093,887 | ---- | C] () -- C:\Apr11-sherrywines.jpg
[2012/04/10 15:31:13 | 000,136,947 | ---- | C] () -- C:\Apr11-cabin.jpg
[2012/04/09 18:54:06 | 000,216,060 | ---- | C] () -- C:\Apr8-ronwoodgallery2.sJPG
[2012/04/09 18:53:56 | 000,300,643 | ---- | C] () -- C:\Apr8-ronwoodgallery.sJPG
[2012/04/08 18:21:01 | 000,112,255 | ---- | C] () -- C:\Apr12-Metamorph.jpg
[2012/04/08 18:09:58 | 000,036,117 | ---- | C] () -- C:\Apr14-ShirHash.jpg
[2012/04/08 18:09:16 | 000,036,117 | ---- | C] () -- C:\Shir-Hashirim.jpg
[2012/04/08 02:50:33 | 000,035,189 | ---- | C] () -- C:\Bsmith-coupon2011.jpg
[2012/04/07 18:17:33 | 000,272,021 | ---- | C] () -- C:\mar14-havana.jpg
[2012/04/07 13:49:52 | 000,085,541 | ---- | C] () -- C:\Apr13-Sohofest.jpg
[2012/04/06 19:30:19 | 000,161,310 | ---- | C] () -- C:\May8-storyville.jpg
[2012/04/06 19:21:39 | 000,070,938 | ---- | C] () -- C:\Apr12-Alessi.jpg
[2012/04/06 19:00:13 | 000,095,469 | ---- | C] () -- C:\Apr22-bronxhealth.jpg
[2012/04/06 18:59:28 | 000,033,568 | ---- | C] () -- C:\Apr17-cinnabon.jpg
[2012/04/06 18:48:34 | 000,086,715 | ---- | C] () -- C:\apr7-milk.jpg
[2012/04/06 00:06:54 | 000,042,151 | ---- | C] () -- C:\Guessprev.jpg
[2012/04/05 18:43:51 | 000,086,514 | ---- | C] () -- C:\apr12-carnival.jpg
[2012/04/05 18:03:32 | 000,058,127 | ---- | C] () -- C:\apr5-politics.jpg
[2012/04/05 18:00:08 | 000,187,471 | ---- | C] () -- C:\apr5-rica2.png
[2012/04/05 17:59:52 | 000,606,565 | ---- | C] () -- C:\apr5-rica.png
[2012/04/05 15:01:15 | 000,070,833 | ---- | C] () -- C:\Apr5-sluteverparty-westway.jpg
[2012/04/05 14:04:22 | 000,164,911 | ---- | C] () -- C:\apr14-chimpw.jpg
[2012/04/05 14:02:34 | 000,264,396 | ---- | C] () -- C:\apr14-chimp.jpg
[2012/04/05 13:55:41 | 000,096,211 | ---- | C] () -- C:\apr5-hennesy.jpg
[2012/04/05 13:30:21 | 000,192,333 | ---- | C] () -- C:\apr5-korean.jpg
[2012/04/05 11:00:11 | 000,056,964 | ---- | C] () -- C:\Apr7-Women.jpg
[2012/04/04 17:10:21 | 000,082,524 | ---- | C] () -- C:\Apr4-mlbfancave.jpg
[2012/04/04 10:24:54 | 000,116,432 | ---- | C] () -- C:\Zagatcard.jpg
[2012/04/03 14:45:55 | 000,059,372 | ---- | C] () -- C:\Apr4-reunion.jpg
[2012/04/03 14:40:01 | 000,047,633 | ---- | C] () -- C:\simonpp4.jpg
[2012/04/03 00:56:26 | 000,134,463 | ---- | C] () -- C:\Hakasan.jpg
[2012/04/02 17:35:50 | 000,125,018 | ---- | C] () -- C:\Apr4-politics.jpg
[2012/04/02 17:35:17 | 000,113,338 | ---- | C] () -- C:\Apr4-buffet.jpg
[2012/04/02 17:11:26 | 000,073,019 | ---- | C] () -- C:\apr2-realpranna.jpg
[2012/04/02 01:32:45 | 000,071,027 | ---- | C] () -- C:\Apr-adweek.jpg
[2012/04/01 19:30:11 | 000,042,493 | ---- | C] () -- C:\Apr26-gallery.jpg
[2012/04/01 18:19:10 | 000,080,715 | ---- | C] () -- C:\Apr4-Areunion.jpg
[2012/04/01 18:06:07 | 000,127,806 | ---- | C] () -- C:\2012Bway-prev.jpg
[2012/04/01 18:04:18 | 000,049,489 | ---- | C] () -- C:\Apr6-15-Autoshow.jpg
[2012/04/01 14:23:06 | 000,110,540 | ---- | C] () -- C:\Apr7-Hippop2.jpg
[2012/04/01 14:22:58 | 000,117,805 | ---- | C] () -- C:\Hippop2.jpg
[2012/04/01 14:22:34 | 000,109,724 | ---- | C] () -- C:\Apr7-Hippop1.jpg
[2012/04/01 14:18:43 | 000,123,914 | ---- | C] () -- C:\Apr4-brooklynbohem.jpg
[2012/04/01 14:11:44 | 000,093,824 | ---- | C] () -- C:\Apr14-Escapetravel.jpg
[2012/04/01 14:01:20 | 000,066,299 | ---- | C] () -- C:\Apr13-15-AVaudio.jpg
[2012/04/01 13:36:54 | 000,093,590 | ---- | C] () -- C:\Apr10-PizzaAC2.jpg
[2012/04/01 13:36:46 | 000,093,749 | ---- | C] () -- C:\Apr10-PizzaAC1.jpg
[2012/04/01 13:19:36 | 000,082,706 | ---- | C] () -- C:\Apr1-HermeexpoAC.jpg
[2012/03/31 02:26:49 | 000,023,265 | ---- | C] () -- C:\may11-2012-carbon.jpg
[2012/03/30 00:54:06 | 000,053,394 | ---- | C] () -- C:\mar30-Pinkolive.jpg
[2012/03/29 16:49:09 | 000,064,634 | ---- | C] () -- C:\mar29-coloroutside.jpg
[2012/03/29 16:39:39 | 000,036,968 | ---- | C] () -- C:\Apr5-johnlastcall.jpg
[2012/03/29 16:39:08 | 000,059,903 | ---- | C] () -- C:\mar5-johnlastcall.gif
[2012/03/29 14:57:31 | 000,050,508 | ---- | C] () -- C:\apr19-bootcamp.jpg
[2012/03/29 14:56:42 | 000,030,935 | ---- | C] () -- C:\Apr19-wedding.jpg
[2012/03/29 14:19:16 | 000,149,321 | ---- | C] () -- C:\mar29-carisa.jpg
[2012/03/29 14:06:58 | 000,076,871 | ---- | C] () -- C:\Apr5-lexus-.jpg
[2012/03/29 14:01:29 | 000,031,281 | ---- | C] () -- C:\Apr8-Sword.jpg
[2012/03/29 13:54:20 | 000,052,669 | ---- | C] () -- C:\Apr2-Fooddrink.jpg
[2012/03/29 13:29:31 | 000,034,802 | ---- | C] () -- C:\Mar31-Apr1.jpg
[2012/03/29 13:22:13 | 000,047,131 | ---- | C] () -- C:\Mar-Apr-Flyer.jpg
[2012/03/29 13:18:02 | 000,086,979 | ---- | C] () -- C:\mar29-BAM.jpg
[2012/03/29 12:43:54 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/29 01:05:43 | 000,244,701 | ---- | C] () -- C:\apr5-lexus.JPG
[2012/03/29 01:05:25 | 000,244,701 | ---- | C] () -- C:\Documents and Settings\Os\Desktop\apr5-lexus.JPG
[2012/03/29 01:04:24 | 000,388,344 | ---- | C] () -- C:\Documents and Settings\Os\Desktop\3909lexus.png
[2012/03/28 19:03:13 | 000,388,344 | ---- | C] () -- C:\Mar5-lexus.jpg
[2012/03/27 16:37:43 | 000,201,599 | ---- | C] () -- C:\mar29-peryotel.jpg
[2012/03/27 16:18:47 | 000,077,525 | ---- | C] () -- C:\mar27-ital.jpg
[2012/03/27 15:59:16 | 000,163,322 | ---- | C] () -- C:\Page1-.jpg
[2012/03/27 15:59:09 | 000,167,083 | ---- | C] () -- C:\Page2-.jpg
[2012/03/27 01:37:24 | 000,077,275 | ---- | C] () -- C:\Mar27-Calimedia.jpg
[2012/03/26 19:14:29 | 000,022,748 | ---- | C] () -- C:\Mar28-newbalance.jpg
[2012/03/25 23:56:00 | 000,049,631 | ---- | C] () -- C:\mar27-postal.jpg
[2012/03/25 23:37:10 | 000,077,680 | ---- | C] () -- C:\Mar28-NYMagwed.jpg
[2012/03/25 23:27:09 | 000,054,248 | ---- | C] () -- C:\Mar28-Jazzmixer.jpg
[2012/03/25 23:15:26 | 000,038,837 | ---- | C] () -- C:\beard-4.jpg
[2012/03/25 23:10:40 | 000,041,679 | ---- | C] () -- C:\beard-3.jpg
[2012/03/25 23:09:05 | 000,025,000 | ---- | C] () -- C:\beard-2.jpg
[2012/03/25 23:06:11 | 000,071,218 | ---- | C] () -- C:\Beard-1.jpg
[2012/03/23 23:18:25 | 000,117,150 | ---- | C] () -- C:\Mar29-31-opengall.jpg
[2012/03/22 12:57:39 | 000,121,605 | ---- | C] () -- C:\mar28-denim.jpg
[2012/03/22 12:52:49 | 000,052,421 | ---- | C] () -- C:\Mar22-zen.jpg
[2012/03/22 01:12:56 | 000,022,848 | ---- | C] () -- C:\o-fpot.jpg
[2012/03/22 00:52:52 | 000,057,073 | ---- | C] () -- C:\mar23-alibi.jpg
[2012/03/03 00:52:43 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/04 13:38:22 | 000,000,023 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2012/02/03 22:18:42 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2012/01/03 17:18:39 | 000,000,370 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/12/23 22:07:27 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011/12/07 11:57:04 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/15 22:42:20 | 000,115,369 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2011/07/15 22:42:20 | 000,097,961 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat

========== LOP Check ==========

[2008/05/30 19:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/01/17 17:56:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2012/03/22 16:44:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2012/01/31 19:53:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro
[2009/12/29 18:11:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OfficeRecovery
[2011/05/24 14:38:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2008/10/15 13:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}
[2008/09/05 10:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\aAvgApi
[2008/10/04 15:01:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\Acoustica
[2009/12/29 18:03:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/12/05 01:41:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\mjusbsp
[2010/12/28 15:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\ntr
[2009/12/29 18:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\OfficeRecovery
[2010/09/28 16:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\OpenOffice.org
[2011/05/12 15:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\OrgPlus9
[2009/07/13 13:03:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\Scalabium
[2012/04/19 16:10:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Os\Application Data\TeamViewer
[2012/01/31 03:33:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2012/01/31 09:33:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2012/01/31 15:33:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2012/01/30 21:33:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2012/01/30 03:33:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2012/01/31 20:55:00 | 000,000,416 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{0BB28F5F-6E80-458F-8B51-086F0450C44C}.job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2010/01/08 03:06:07 | 091,338,304 | ---- | M] (Lavasoft ) -- C:\Ad-AwareInstallation.exe
[2009/04/20 13:46:52 | 063,752,952 | ---- | M] (AVG Technologies) -- C:\avg_free_stf_en_85_287a1483.exe
[2008/10/15 04:37:55 | 003,514,567 | ---- | M] (Goldzsoft Inc. ) -- C:\avijoiner.exe
[2009/05/06 15:50:34 | 001,277,680 | ---- | M] () -- C:\couponprinter.exe
[2009/04/08 13:48:51 | 005,977,684 | ---- | M] (DVDVideoSoft Limited. ) -- C:\freeyoutubedownload.exe
[2010/01/08 20:29:27 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2011/01/18 12:32:12 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup-1.50.1.1100.exe
[2010/01/08 20:52:06 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\mbam-setup.exe
[2010/10/10 12:52:28 | 000,615,144 | ---- | M] (June Fabrics Technology Inc. ) -- C:\PdaNetW20.exe
[2003/07/04 09:20:00 | 000,229,376 | ---- | M] () -- C:\ReferenceFinder 3.1.exe
[2008/10/08 20:11:00 | 007,647,053 | ---- | M] (EffectMatrix Inc. ) -- C:\tvcnew.exe
[2009/08/31 15:54:29 | 018,015,723 | ---- | M] () -- C:\vlc-1.0.1-win32.exe
[2009/03/24 16:09:15 | 015,484,083 | ---- | M] (NETGEAR ) -- C:\wg311v3_3_1_setup.exe

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 08:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2004/08/04 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\i386\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 06:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\i386\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 06:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\i386\winlogon.exe
[2012/01/13 15:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 08:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< type c:\diskreport.txt /c >
Microsoft DiskPart version 5.1.3565
Copyright © 1999-2003 Microsoft Corporation.
On computer: D9BH4YF1
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D DVD-ROM 0 B
Volume 1 C NTFS Partition 149 GB Healthy System

< >

========== Files - Unicode (All) ==========
[2009/12/29 05:05:05 | 000,160,211 | ---- | M] ()(C:\Tu?nPh?m-Saberlord-2008-2009.jpg) -- C:\TuấnPhạm-Saberlord-2008-2009.jpg
[2009/12/29 05:05:01 | 000,160,211 | ---- | C] ()(C:\Tu?nPh?m-Saberlord-2008-2009.jpg) -- C:\TuấnPhạm-Saberlord-2008-2009.jpg

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\WINDOWS\$NtUninstallKB32285$] -> Error: Cannot create file handle -> Unknown point type

< End of report >

___________

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-19 18:22:40
-----------------------------
18:22:40.858 OS Version: Windows 5.1.2600 Service Pack 3
18:22:40.858 Number of processors: 2 586 0xF0D
18:22:40.858 ComputerName: D9BH4YF1 UserName: Os
18:22:41.811 Initialize success
18:24:03.967 AVAST engine defs: 12041901
18:24:31.670 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:24:31.670 Disk 0 Vendor: Intel___ 1.0. Size: 152585MB BusType: 8
18:24:31.686 Disk 0 MBR read successfully
18:24:31.686 Disk 0 MBR scan
18:24:31.733 Disk 0 Windows XP default MBR code
18:24:31.733 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
18:24:31.764 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152531 MB offset 96390
18:24:31.764 Disk 0 scanning sectors +312480315
18:24:31.858 Disk 0 scanning C:\WINDOWS\system32\drivers
18:24:45.108 Service scanning
18:24:52.873 Service KL1 C:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
18:24:52.920 Service kl2 C:\WINDOWS\system32\DRIVERS\kl2.sys **LOCKED** 5
18:24:53.389 Service klim5 C:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
18:24:53.451 Service klmouflt C:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
18:25:03.264 Modules scanning
18:25:11.451 Disk 0 trace - called modules:
18:25:11.467
18:25:12.201 AVAST engine scan C:\WINDOWS
18:25:28.623 AVAST engine scan C:\WINDOWS\system32
18:27:39.404 AVAST engine scan C:\WINDOWS\system32\drivers
18:27:57.764 AVAST engine scan C:\Documents and Settings\Os
18:29:04.014 File: C:\Documents and Settings\Os\Application Data\Sun\Java\Deployment\cache\6.0\2\8a4cec2-66aced2c **INFECTED** Win32:Karagany-EW [Trj]
18:30:37.904 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Os\Desktop\MBR.dat"
18:30:37.904 The log file has been saved successfully to "C:\Documents and Settings\Os\Desktop\aswMBR.txt"

Edited by flakeup, 19 April 2012 - 06:43 PM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
What are your problems ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the recovery console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#5
flakeup

flakeup

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
REMINIANTS Still remain. Rootkit virus found. Combofix rebooted after deletion of a folder. Couldn't reboot itself, had to do it manually.
After main boot into windows told kaspersky let some exe through very fast which has the same bahavior as ???.exe it went fast so couldn't read it. Then Asked for installations in windows/system32/procexp113.sys low restriction download drive files to be installed/run combofix.exe/catchme.sys and handle.3xe (potential baviour files) I wasn't sure whether to allow or deny. Then my system locked. So I just shut it down now.

What should I do?? (Was about to post the combofix log but my system froze) What should I do??
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you post the combofix log please... Some of those files are related to combofix
  • 0

#7
flakeup

flakeup

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Im on safe mode as it froze on regular mode (rootkit was detected in log attached) don't think was fully removed, posting this from another comp..

Attached Files


Edited by flakeup, 20 April 2012 - 03:17 PM.

  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
From within safe mode could you go Start > Run
Type in the following command :

Msconfig

On the first tab ensure that Normal start is selected



Then select the Services tab and click enable all



Now retry booting to normal windows, let me know what occurs
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP