Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknow virus found + Trojan Horse [Solved]


  • This topic is locked This topic is locked

#1
evolutionpill

evolutionpill

    Member

  • Member
  • PipPipPip
  • 127 posts
Hi

It would be much appreciate if you could provide me with some assistance.

Over the past three days I have noticed a number of problems with my pc and it seems to be running 75% slower then normal.

1. My AVG picks up an "Unknown virus win32/dh{way}" every time in either my E drive or my C drive (i have 4 drives with C as my operating drive)
2. I keep getting pop up window stating E:? system volume information/..restor (b5315cf0-305-4679...... not sure what this is.
3. Even when I close my IE and i go look at windows task manager - processes the IE explore although closed on the screen is still running in the task manager and using 300+k mempry every time ( and thats just when I had one window open. also there are time when I open a 1 window)now additional Tabs) and I look at task manager - process there are 3 or 4 iexplore running
4. As of today I cannot get any pictures when opening websites on IX ( I have gone to internet options and check the tosee that the multimedia function to show pictures is open - a few times I could not access the internet options - had to close and reopen ie.

Thank you kindly in advanced

sean

below the OTL Text First

OTL logfile created on: 26/06/2012 20:56:45 - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\sfvb\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

494.42 Mb Total Physical Memory | 106.29 Mb Available Physical Memory | 21.50% Memory free
1.13 Gb Paging File | 0.50 Gb Available in Paging File | 43.95% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 3.83 Gb Free Space | 19.62% Space Free | Partition Type: NTFS
Drive D: | 29.29 Gb Total Space | 2.98 Gb Free Space | 10.17% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 2.03 Gb Free Space | 6.92% Space Free | Partition Type: NTFS
Drive F: | 33.66 Gb Total Space | 0.86 Gb Free Space | 2.57% Space Free | Partition Type: NTFS

Computer Name: SF2 | User Name: sfvb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/26 20:54:46 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sfvb\My Documents\Downloads\OTL.exe
PRC - [2012/03/15 09:24:40 | 000,918,880 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
PRC - [2012/03/15 09:23:45 | 000,982,880 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/08 16:53:10 | 010,455,296 | ---- | M] () -- C:\Program Files\MpcStar\mpcstar.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/09/03 14:29:58 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2010/09/17 04:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/03/14 12:43:38 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
PRC - [2004/09/07 16:08:02 | 000,389,120 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2004/09/07 16:03:40 | 000,245,760 | ---- | M] (Intel) -- C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
PRC - [2004/08/04 20:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/15 09:24:40 | 000,918,880 | ---- | M] () -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
MOD - [2012/03/15 09:23:45 | 000,982,880 | ---- | M] () -- C:\Program Files\AVG Secure Search\vprot.exe
MOD - [2011/11/08 16:53:10 | 010,455,296 | ---- | M] () -- C:\Program Files\MpcStar\mpcstar.exe
MOD - [2011/09/03 14:29:56 | 001,846,232 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/09/17 04:04:50 | 000,095,528 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2010/09/17 04:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2010/04/18 22:07:06 | 005,603,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2009/03/04 18:38:40 | 000,560,802 | ---- | M] () -- C:\Program Files\MpcStar\Codecs\ffdshow\libmplayer.dll
MOD - [2009/03/04 18:38:38 | 002,625,536 | ---- | M] () -- C:\Program Files\MpcStar\Codecs\ffdshow\ffdshow.ax
MOD - [2009/03/04 18:38:36 | 004,338,246 | ---- | M] () -- C:\Program Files\MpcStar\Codecs\ffdshow\libavcodec.dll
MOD - [2009/03/04 18:38:30 | 000,485,888 | ---- | M] () -- C:\Program Files\MpcStar\Codecs\ffdshow\ff_libfaad2.dll
MOD - [2005/12/31 03:16:02 | 000,077,824 | ---- | M] () -- C:\WINDOWS\system32\xvid.ax
MOD - [2004/09/07 16:03:46 | 000,073,728 | ---- | M] () -- C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL
MOD - [2004/08/04 20:00:00 | 001,287,680 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2004/08/04 20:00:00 | 000,385,024 | ---- | M] () -- C:\WINDOWS\system32\qdvd.dll
MOD - [2004/08/04 20:00:00 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2004/08/04 20:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2004/05/25 22:06:58 | 000,417,792 | ---- | M] () -- C:\WINDOWS\system32\ac3filter.ax


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/03/15 09:24:40 | 000,918,880 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe -- (vToolbarUpdater10.2.0)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2004/09/07 16:12:32 | 000,225,353 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:42 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:28 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:28 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 01:14:26 | 000,134,608 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2011/06/15 20:19:04 | 000,079,260 | ---- | M] (KRFTech) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\windrvr.sys -- (WinDriver)
DRV - [2007/05/21 19:39:48 | 000,100,736 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2004/11/15 15:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/10/21 15:56:04 | 003,210,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/08/31 08:53:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/08/12 08:44:04 | 000,234,496 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iwca.sys -- (IWCA)
DRV - [2004/05/26 15:18:18 | 000,044,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2004/05/21 14:18:56 | 000,067,072 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm.sys -- (tifm)
DRV - [2003/11/13 18:21:16 | 000,197,120 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003/11/13 18:18:36 | 000,679,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/13 18:17:00 | 001,042,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=en&source=iglk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enCN370
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...e}&iy=&ychte=us
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Baidu Search"
FF - prefs.js..browser.search.selectedEngine: "Baidu Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.co...rce=gapg&hl=en"
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209
FF - prefs.js..extensions.enabledItems: [email protected]:6.010.023.001
FF - prefs.js..keyword.URL: "http://isearch.avg.c...8:24&sap=ku&q="
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@baidu.com/npxbdyy: C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\npxbdyy.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@pptv.com/plugin: C:\Program Files\Internet Explorer\PPLite\plugin\npplugin2.dll (PPLive Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.709: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.709: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.709: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/14 12:45:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AutocompletePro\[email protected]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/07 11:49:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.2.0.3\ [2012/03/15 09:26:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/03 14:29:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/29 11:17:55 | 000,000,000 | ---D | M]

[2010/04/07 13:40:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Extensions
[2012/06/26 14:20:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\extensions
[2012/06/26 14:20:50 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2012/04/30 22:12:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/30 22:12:14 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/06/04 10:15:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/19 16:25:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2012/03/15 09:26:22 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AVG SECURE SEARCH\10.2.0.3
[2011/04/29 01:51:41 | 000,191,192 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\SFVB\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CUQO6FDJ.DEFAULT\EXTENSIONS\[email protected]
[2012/02/07 11:49:15 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2010/06/04 10:14:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/09/03 14:29:58 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 16:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/03/15 09:23:38 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2010/01/01 16:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 16:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 16:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 16:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [kwmusic] "C:\Program Files\KWMUSIC\Kwmusic.exe" /autorun File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKCU..\Run: [BaiduMEDIA] C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\Baiduplayer.exe (Baidu Inc.)
O4 - HKCU..\Run: [Funshion] C:\Program Files\Funshion Online\Funshion\funshion.exe (Funshion Online Technologies Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} https://site.cmbchin...oad/CMBEdit.cab (Edit Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {9701758C-4373-482E-B13C-776C048EC890} http://xmp.down.sand...ankanPlayer.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 114.64.255.146 219.141.136.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E21A50FD-326F-46B7-90B0-CED202A1549F}: DhcpNameServer = 114.64.255.146 219.141.136.10
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\sfvb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\sfvb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/12 23:15:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/17 10:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Kingsoft
[2010/12/02 15:54:40 | 043,658,352 | ---- | C] (DivX, Inc.) -- C:\Program Files\DivXInstaller.exe
[2010/12/02 15:12:11 | 011,873,890 | ---- | C] (Audacity Team ) -- C:\Program Files\audacity-win-unicode-1.3.12.exe
[2010/06/21 10:04:29 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmmdm.sys
[2010/06/21 10:04:29 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmserd.sys
[2010/06/21 10:04:29 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmbus.sys
[2010/06/21 10:04:29 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmmdfl.sys
[2010/06/21 10:04:29 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmcmnt.sys
[2010/06/21 10:04:29 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmwhnt.sys
[2010/06/21 10:04:29 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmcr.sys
[2010/06/21 10:04:28 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\sfvb\usbsermptxp.sys
[2010/06/21 10:04:28 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\sfvb\usbsermpt.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/26 21:02:03 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\WpsUpdateTask_sfvb.job
[2012/06/26 20:43:24 | 000,004,089 | ---- | M] () -- C:\Documents and Settings\sfvb\funshion.ini
[2012/06/26 20:28:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/26 19:55:17 | 000,000,138 | ---- | M] () -- C:\WINDOWS\vsfilter.INI
[2012/06/26 19:23:07 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\sfvb\Application Data\coreavc.ini
[2012/06/26 17:43:03 | 100,725,600 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/06/26 15:17:27 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\sfvb\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2012/06/26 12:55:21 | 000,007,168 | ---- | M] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/06/26 12:38:11 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
[2012/06/26 12:38:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
[2012/06/26 12:17:28 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/26 12:17:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/25 09:27:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/23 18:17:35 | 000,166,136 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/06/22 13:28:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/21 11:09:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/17 17:26:49 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/06/11 16:56:39 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\Microsoft Office Word 2003.lnk
[2012/05/30 13:34:31 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\Shortcut to Recycle Bin.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/30 13:34:31 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\Shortcut to Recycle Bin.lnk
[2012/05/17 16:26:37 | 000,000,305 | ---- | C] () -- C:\WINDOWS\System32\bdsecushr.dat
[2012/05/16 20:54:54 | 000,000,138 | ---- | C] () -- C:\WINDOWS\vsfilter.INI
[2012/04/28 15:04:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2012/01/07 03:03:10 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\WebpageIcons.db
[2012/01/06 23:40:07 | 000,103,784 | ---- | C] () -- C:\Documents and Settings\sfvb\GoToAssistDownloadHelper.exe
[2011/12/30 11:34:24 | 000,000,911 | ---- | C] () -- C:\Documents and Settings\sfvb\Application Data\coreavc.ini
[2011/06/15 20:18:44 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\drvinst.exe
[2011/06/15 20:18:19 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\nmocod.dll
[2011/02/27 16:32:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\prvlcl.dat
[2010/11/09 17:05:50 | 000,004,089 | ---- | C] () -- C:\Documents and Settings\sfvb\funshion.ini
[2010/11/09 17:05:50 | 000,001,081 | ---- | C] () -- C:\WINDOWS\System32\funshion.ini
[2010/07/16 03:32:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\fusioncache.dat
[2010/07/16 03:21:29 | 000,000,157 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2010/07/16 03:20:42 | 000,000,840 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2010/07/16 03:16:07 | 000,128,786 | ---- | C] () -- C:\WINDOWS\hppins02.dat
[2010/07/16 03:16:06 | 000,001,883 | ---- | C] () -- C:\WINDOWS\hppmdl02.dat
[2010/07/09 01:31:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/21 10:18:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem20.PNF
[2010/06/21 10:18:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem17.PNF
[2010/06/21 10:18:53 | 000,012,420 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem16.PNF
[2010/06/21 10:18:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem20.inf
[2010/06/21 10:18:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem17.inf
[2010/06/21 10:18:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem18.PNF
[2010/06/21 10:18:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem19.PNF
[2010/06/21 10:18:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem18.inf
[2010/06/21 10:18:53 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\sfvb\1277086733-(null)
[2010/06/21 10:18:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem19.inf
[2010/06/21 10:18:52 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem13.PNF
[2010/06/21 10:18:52 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem14.PNF
[2010/06/21 10:18:52 | 000,012,794 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem15.PNF
[2010/06/21 10:18:52 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\sfvb\1277086732-(null)
[2010/06/21 10:18:52 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem15.inf
[2010/06/21 10:18:52 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem14.inf
[2010/06/21 10:04:29 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_MDM.INF
[2010/06/21 10:04:29 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_MOT_BRIT.INF
[2010/06/21 10:04:29 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_BUS.INF
[2010/06/21 10:04:29 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\sfvb\USBMOT2000XP.INF
[2010/06/21 10:04:29 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_MOT_A1000.INF
[2010/06/21 10:04:29 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_SDM.INF
[2010/06/21 10:04:28 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\sfvb\USBMOT2000.INF
[2010/06/21 10:04:28 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_CMCS_2000.INF
[2010/03/25 20:17:11 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/14 16:26:19 | 000,000,406 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== LOP Check ==========

[2012/03/15 09:26:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Secure Search
[2012/06/25 19:10:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/01/07 01:13:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/05/16 20:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Baidu
[2012/06/26 12:56:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/08/02 15:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2012/01/06 23:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/12/11 12:48:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/02/02 18:33:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Jlcm
[2012/04/24 14:10:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kingsoft
[2012/04/29 10:26:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kuwo
[2012/06/26 17:44:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/07/30 03:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2012/02/07 10:34:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PPLive
[2011/04/04 18:01:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/21 18:21:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/10/17 19:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\AnvSoft
[2010/12/02 16:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Audacity
[2012/02/07 11:48:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\AVG Secure Search
[2012/02/07 11:56:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\AVG2012
[2012/05/16 20:53:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Baidu
[2012/06/24 00:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\BitComet
[2012/01/07 01:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\BitTorrent(2)
[2011/08/01 19:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2012/06/08 09:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\CometPlayer
[2010/12/03 21:06:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Free Audio Editor
[2010/10/17 20:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\iJoysoft
[2010/12/03 21:05:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Import Audio from Video
[2012/04/24 14:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Kingsoft
[2010/03/14 20:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Leadertech
[2012/02/02 18:42:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\PPLive
[2012/04/29 10:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\PPStream
[2011/12/18 10:50:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\PriceGong
[2012/04/08 15:50:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\tigerplayer
[2011/10/25 00:14:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sfvb\Application Data\Voipwise
[2012/06/26 21:02:03 | 000,000,368 | ---- | M] () -- C:\WINDOWS\Tasks\WpsUpdateTask_sfvb.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2012/04/24 14:13:23 | 000,000,981 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS演示.lnk
[2012/04/24 14:13:23 | 000,000,981 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS文字.lnk
[2012/04/24 14:13:23 | 000,000,981 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS演示.lnk
[2012/04/24 14:13:23 | 000,000,966 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS表格.lnk
[2012/04/24 14:13:23 | 000,000,966 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS表格.lnk
[2012/04/24 14:13:22 | 000,000,981 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS文字.lnk
(C:\Documents and Settings\All Users\Start Menu\Programs\WPS Office ???) -- C:\Documents and Settings\All Users\Start Menu\Programs\WPS Office 个人版

========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

OTL EXTRA

OTL Extras logfile created on: 26/06/2012 20:56:45 - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\sfvb\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

494.42 Mb Total Physical Memory | 106.29 Mb Available Physical Memory | 21.50% Memory free
1.13 Gb Paging File | 0.50 Gb Available in Paging File | 43.95% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 3.83 Gb Free Space | 19.62% Space Free | Partition Type: NTFS
Drive D: | 29.29 Gb Total Space | 2.98 Gb Free Space | 10.17% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 2.03 Gb Free Space | 6.92% Space Free | Partition Type: NTFS
Drive F: | 33.66 Gb Total Space | 0.86 Gb Free Space | 2.57% Space Free | Partition Type: NTFS

Computer Name: SF2 | User Name: sfvb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [kwopen] -- "C:\Program Files\KWMUSIC\KwMusic.exe" \dir "%1"
Directory [kwplaylist] -- "C:\Program Files\KWMUSIC\KwMusic.exe" \dirlist "%1"
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"27699:TCP" = 27699:TCP:*:Enabled:BitComet 27699 TCP
"27699:UDP" = 27699:UDP:*:Enabled:BitComet 27699 UDP
"65432:TCP" = 65432:TCP:*:Enabled:BitComet 65432 TCP
"65432:UDP" = 65432:UDP:*:Enabled:BitComet 65432 UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Simple Port Tester\spt.exe" = C:\Program Files\Simple Port Tester\spt.exe:*:Enabled:Simple Port Tester -- (PcWinTech.com)
"C:\Documents and Settings\sfvb\Desktop\detect_routers\detect_routers.exe" = C:\Documents and Settings\sfvb\Desktop\detect_routers\detect_routers.exe:*:Enabled:Detect Multiple Routers

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth
"C:\Program Files\Funshion Online\Funshion\FunshionUpgrade.exe" = C:\Program Files\Funshion Online\Funshion\FunshionUpgrade.exe:*:Enabled:FunshionUpgrade -- (Funshion Online Technologies Ltd.)
"C:\Program Files\Funshion Online\Funshion\FunshionService.exe" = C:\Program Files\Funshion Online\Funshion\FunshionService.exe:*:Enabled:Funshion Network Transport Service -- (Funshion Online Technologies Ltd.)
"C:\Documents and Settings\sfvb\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\sfvb\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS)
"G:\setup\HPNTWKEXE.EXE" = G:\setup\HPNTWKEXE.EXE:*:Disabled:hpntwkexe.exe
"G:\setup\hppniprint01.exe" = G:\setup\hppniprint01.exe:*:Disabled:hppniprint01.exe
"F:\game\Microsoft Age of Empires - Rise of Rome\AOE\EMPIRESX.EXE" = F:\game\Microsoft Age of Empires - Rise of Rome\AOE\EMPIRESX.EXE:*:Disabled:Age of Empires, the Rise of Rome
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Disabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe" = C:\Program Files\Voipwise.com\Voipwise\Voipwise.exe:*:Enabled:Voipwise -- (Voipwise)
"C:\Documents and Settings\sfvb\Desktop\BitTorrent-7.6.exe" = C:\Documents and Settings\sfvb\Desktop\BitTorrent-7.6.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Simple Port Tester\spt.exe" = C:\Program Files\Simple Port Tester\spt.exe:*:Enabled:Simple Port Tester -- (PcWinTech.com)
"C:\Documents and Settings\sfvb\Desktop\detect_routers\detect_routers.exe" = C:\Documents and Settings\sfvb\Desktop\detect_routers\detect_routers.exe:*:Enabled:Detect Multiple Routers
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet.exe -- (www.BitComet.com)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Disabled:AVG Installer
"C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe" = C:\Program Files\Common Files\PPLiveNetwork\PPAP.exe:*:Enabled:PPTV????
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)
"F:\game\Microsoft Age of Empires - Rise of Rome\AOE\Empires.exe" = F:\game\Microsoft Age of Empires - Rise of Rome\AOE\Empires.exe:*:Disabled:Age of Empires
"C:\Program Files\KWMUSIC\bin\KwMusic.exe" = C:\Program Files\KWMUSIC\bin\KwMusic.exe:*:Enabled:ֺ
"C:\Program Files\KWMUSIC\bin\KwMV.exe" = C:\Program Files\KWMUSIC\bin\KwMV.exe:*:Enabled:MV
"F:\2010backup\AOE\AOE\Empires.exe" = F:\2010backup\AOE\AOE\Empires.exe:*:Disabled:Age of Empires -- (Microsoft Corporation)
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\BaiduP2PService.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\BaiduP2PService.exe:*:Enabled:BaiduP2PService.exe
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\StatReport.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\StatReport.exe:*:Enabled:StatReport.exe
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\BaiduPlayer.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.70\BaiduPlayer.exe:*:Enabled:BaiduPlayer.exe
"C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\bdupdate.exe" = C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\bdupdate.exe:*:Enabled:???????? -- (Baidu.com, Inc.)
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\BaiduP2PService.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\BaiduP2PService.exe:*:Enabled:BaiduP2PService.exe -- (Baidu.com, Inc.)
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\StatReport.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\StatReport.exe:*:Enabled:StatReport.exe -- (Baidu.com, Inc.)
"C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\BaiduPlayer.exe" = C:\Program Files\Baidu\BaiduPlayer\1.14.0.69\BaiduPlayer.exe:*:Enabled:BaiduPlayer.exe -- (Baidu Inc.)
"C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\Content.IE5\YPN95GSU\QvodSetup5[1].exe" = C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\Content.IE5\YPN95GSU\QvodSetup5[1].exe:*:Enabled:QVOD


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0D6E543B-97E8-41F2-B0DE-61BDB87601CE}" = Motorola Phone Tools
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.9
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6F30B469-5ED7-4734-8252-B9BC962A2AB3}" = PCIxx20
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype 5.5
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio module
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CFA76A76-03CF-43AC-AAB4-E2E3DACE4E02}" = Vodafone Mobile Connect Lite Runtime Components
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D900E12F-DC9F-437B-8E63-5E8D781A06B5}" = Windows Live Messenger
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0F4DAC1-60DC-4D01-8BD9-DB8DA05A8A0F}" = 32 Bit HP BiDi Channel Components Installer
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Acoustica Effects Pack" = Acoustica Effects Pack
"Acoustica Mixcraft" = Acoustica Mixcraft
"Acoustica MP3 Audio Mixer" = Acoustica MP3 Audio Mixer
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Any Video Converter_is1" = Any Video Converter 3.0.7
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"AVG" = AVG 2012
"BaiduPlayer" = BaiduPlayer1.14.0.69
"BitComet" = BitComet 1.30
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D480 MDC V.9x Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Cool's_Codec_pack_4.12" = Codec Pack - All In 1 6.0.3.0
"DivX Setup.divx.com" = DivX Setup
"Funshion" = Funshion
"ie8" = Windows Internet Explorer 8
"iJoysoft MKV Converter" = iJoysoft MKV Converter
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallShield_{6F30B469-5ED7-4734-8252-B9BC962A2AB3}" = Texas Instruments PCIxx20 drivers.
"Kingsoft Office" = WPS Office ˰ (8.1.0.2998)
"Mozilla Firefox 6.0.1 (x86 en-GB)" = Mozilla Firefox 6.0.1 (x86 en-GB)
"MpcStar" = MpcStar 5.4
"MSNINST" = MSN
"NingPo MahJong Deluxe 1.04" = NingPo MahJong Deluxe 1.04
"ProInst" = Intel® PROSet/Wireless Software
"RealAlt_is1" = Real Alternative 2.0.2
"RealPlayer 12.0" = RealPlayer
"Simple Port Tester2.1.5" = Simple Port Tester
"Thomas Applications" = Thomas Applications
"Thomas Key" = Thomas Key
"Tunnelier" = Bitvise Tunnelier 4.40 (remove only)
"Voipwise_is1" = Voipwise
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 06/02/2012 05:47:53 | Computer Name = SF2 | Source = Application Error | ID = 1000
Description = Faulting application voipwise.exe, version 4.8.645.0, faulting module
voipwise.exe, version 4.8.645.0, fault address 0x006e04e1.

Error - 08/02/2012 10:26:55 | Computer Name = SF2 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/02/2012 10:26:57 | Computer Name = SF2 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/02/2012 21:36:19 | Computer Name = SF2 | Source = Application Error | ID = 1000
Description = Faulting application voipwise.exe, version 4.8.645.0, faulting module
voipwise.exe, version 4.8.645.0, fault address 0x006e04e1.

Error - 10/02/2012 07:27:42 | Computer Name = SF2 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 13/02/2012 06:24:30 | Computer Name = SF2 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module shlwapi.dll, version 6.0.2900.2995, fault address 0x00006f74.

Error - 14/02/2012 11:57:57 | Computer Name = SF2 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 14/02/2012 11:57:59 | Computer Name = SF2 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.5604.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 16/02/2012 06:46:33 | Computer Name = SF2 | Source = Application Error | ID = 1000
Description = Faulting application voipwise.exe, version 4.8.645.0, faulting module
voipwise.exe, version 4.8.645.0, fault address 0x006e04e1.

Error - 17/02/2012 02:31:09 | Computer Name = SF2 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18702, fault address 0x000b95c9.

[ System Events ]
Error - 25/06/2012 05:20:28 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer HP LaserJet 3050 Series PCL 6 failed to initialize because
a suitable HP LaserJet 3050 Series PCL 6 driver could not be found.

Error - 25/06/2012 05:20:28 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer Microsoft Office Document Image Writer failed to initialize
because a suitable Microsoft Office Document Image Writer Driver driver could not
be found.

Error - 25/06/2012 07:09:58 | Computer Name = SF2 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 25/06/2012 07:11:47 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer HP LaserJet 3050 Series PCL 6 failed to initialize because
a suitable HP LaserJet 3050 Series PCL 6 driver could not be found.

Error - 25/06/2012 07:11:47 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer Microsoft Office Document Image Writer failed to initialize
because a suitable Microsoft Office Document Image Writer Driver driver could not
be found.

Error - 25/06/2012 19:57:50 | Computer Name = SF2 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 0013CE38B6E1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 25/06/2012 19:59:09 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer HP LaserJet 3050 Series PCL 6 failed to initialize because
a suitable HP LaserJet 3050 Series PCL 6 driver could not be found.

Error - 25/06/2012 19:59:09 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer Microsoft Office Document Image Writer failed to initialize
because a suitable Microsoft Office Document Image Writer Driver driver could not
be found.

Error - 26/06/2012 00:18:06 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer HP LaserJet 3050 Series PCL 6 failed to initialize because
a suitable HP LaserJet 3050 Series PCL 6 driver could not be found.

Error - 26/06/2012 00:18:06 | Computer Name = SF2 | Source = Print | ID = 23
Description = Printer Microsoft Office Document Image Writer failed to initialize
because a suitable Microsoft Office Document Image Writer Driver driver could not
be found.


< End of report >
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi and welcome back Geeks to Go. :)

If not aware support for Windows XP Service Pack Two expired nearly a year ago now:-

Support for Windows XP with Service Pack 2 (SP2) ended on July 13, 2010. To continue support, make sure you've installed Windows XP Service Pack 3 (SP3).

Source.

My friendly advice would be because your machine has been without the aforementioned Service pack for quite some time and consequently the appropriate critical updates, it is considered a security risk all told and no wonder your machine is infected now unfortunately..

Therefore, your best and safest course of action is a reformat and reinstallation of the Windows Operating System, and that is the course I strongly recommend.

Note: Do not attempt to install XP SP3 on this machine now yourself, because of the infections present it will in all probability exacerbate the current situation and even the the distinct chance your machine is left inoperable.

Next:

I can attempt to clean this machine(anything I try may not be successful) but I can't guarantee that it will be at all secure afterwords, even once I deem it safe to try and actually install Windows XP Service Pack Three.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
  • 0

#3
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi Dakeyras

Thank you for your advice and input.

Sorry afraid I had no idea about the service packs (not even sure what that is - been using the same cd I got since I bought the pc).

am currently in China but will be heading home in the new two weeks so I can get the new stuff in english and get some pro's to help me with the reformatting and instalation and make sure everythig updated, but in the mean time is there anything we can do to try make the pc a little more operatable until then and with out it being a waste of ur time ( i understand what u said that it may not help.)

thanks so much
sean
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Thank you for your advice and input.

You're welcome!

Sorry afraid I had no idea about the service packs (not even sure what that is - been using the same cd I got since I bought the pc).

OK fair play, this article explains what a service pack is/used for ect.

am currently in China but will be heading home in the new two weeks so I can get the new stuff in english and get some pro's to help me with the reformatting and instalation and make sure everythig updated, but in the mean time is there anything we can do to try make the pc a little more operatable until then and with out it being a waste of ur time ( i understand what u said that it may not help.)

I am perfectly willing to try and assist you, so lets see what can be done shall we. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Hard-Drive Free Space Advice:

A Hard-Drive requires a bare minimum of 15% available free space to be able to function correctly, but at least 25% is better in my humble opinion.

Now the actual free-space in the C drive which has the Operating System on:-

Drive C: | 19.53 Gb Total Space | 3.83 Gb Free Space | 19.62% Space Free | Partition Type: NTFS

Is not to bad at all but if you could create a bit extra that would be of benefit for when we attempt to install XP SP3.

The other drives are considered dangerously low though:-

Drive D: | 29.29 Gb Total Space | 2.98 Gb Free Space | 10.17% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 2.03 Gb Free Space | 6.92% Space Free | Partition Type: NTFS
Drive F: | 33.66 Gb Total Space | 0.86 Gb Free Space | 2.57% Space Free | Partition Type: NTFS

So my friendly advice would be create some free-space soon as on the above as otherwise they may cease to function correctly at all and or any form of system maintenance on them will prove to be problematic at best.

Try your best to address the above before proceeding to the below please...

Peer to Peer Advice:

I see BitComet is installed...If you have used this recently, you can be fairly confident this is also one of the principal reasons your computer is infected.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files.
Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

My advice would be to uninstall the aforementioned. However if you opt not to please refrain from using it for the duration of the malware removal process, thank you.

Next:

Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will both in in due course.

Note: advised optional unistalltions are highlighted in red.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 9.4.1
Java™ 6 Update 22
Funshion <--Both the software and site associated have the potential to install malware.
iJoysoft MKV Converter <-- As above.

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Right-click on erunt-setup.exe and select Run as Administrator to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Reset SP2 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK
firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Double-click on aswMBR.exeto run it
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

Re-scan with OTL:

Please move OTL to the desktop, it is currently residing here:-

C:\Documents and Settings\sfvb\My Documents\Downloads\OTL.exe

Then double click on OTL.exe to start the application.

  • Ensure both Scan All Users and Minimal Output are selected
  • Under the Custom Scans/Fixes box cut & paste this in:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CreateRestorePoint


  • Then click on Run Scan
Note: Only one log will be created this time and that is all I need to review for the time being.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • aswMBR Log.
  • New OTL Log.

  • 0

#5
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi Dakeyras

A quick question before I begin the process you recommended, to makemore space on my drives I will delete unnecessary files, (but on my F folder I have my photo (about 5G) and some audio book that I wish to save on my backup drive (portable Mass USB) if I copy these over, will this not copy the malware too, creating a problem when I copy them back?

I really do appreciate you assisting me

Regards
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

What you could do is check for updates with your installed Anti-Virus, then right click on the files you wish to transfer and scan them to ensure they are not compromised...

And or to save having too scan multiple files singularly, you could create a new folder where they are currently residing and in turn move the files to this new folder. Then in turn right click on the folder and select the option to scan it with AVG etc.

Once completed that we can ensure your portable Mass USB is disinfected before transferring the aforementioned files/folder to it as follows...

Flash Disinfector:

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your portable Mass USB drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
  • 0

#7
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi Dakeyras

Trust you are well.

Right. I updated my backup (as per ur suggestion and followed ur last recommendations), have to admitt this took an aweful lot of time the transferring of about 10B (collective) took about 8 hours. I installed disinfector (however avg kept throwing it into the virus vault stating it was a IDP Trojan F6B5R97) so I diconected avg installed the progra and then activated avg again and used it.

1. SPace, I went thru my PC and cleared out all stuff I dnt need/want ( C drive now 46%, D 23%, E 21 % F 24%) I know its not quite 25% or more but hope this will be ok.

2. Bit commet ( I have not used that in yonks for the very reason u suggested and have removed it, including funshion.

3. Outof date files. adobe 9.4.1 = removed (although I still have adobe air, adobe Flash player
activex, adobe flash player 10 plugin and adobe shockwave player)
Java6 update 22= reoved
Ijoysoft MKV (as I pressed remove button it came up with a box "ijoysoft encouted
a problem and needs to close" and it closed however when i went back to add/remove
programs it was gone
4. Back up registry (Erunt) Once downloaded I went to right click and run as admin but I could NOT find that option, so I just run it anyway

5. Reset Firewall SP2 = Done

6. Scan AswMBR - this took me 22 times before I could eventually download and run) but attached is the log.

7. Rescan OTL - done log attached.

8. How is my pc performing now? there seems to be a marginal improvement.
8.1 I still get a box opening stating Justin time debugging (new instance of microsoft Script editor)
8.2 I still get red x on IE so I downloaded Firfox (so I can see this website properly)
8.3 In win task manager I still get multiple Iexplore open when only one is open.

Thanks again

below the logs.

ASWMBR

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-03 13:58:37
-----------------------------
13:58:37.321 OS Version: Windows 5.1.2600 Service Pack 2
13:58:37.321 Number of processors: 1 586 0xD06
13:58:37.321 ComputerName: SF2 UserName:
13:58:39.304 Initialize success
13:59:13.002 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:59:13.012 Disk 0 Vendor: Hitachi_HTS541612J9AT00 SBDOA70H Size: 114473MB BusType: 3
13:59:13.032 Disk 0 MBR read successfully
13:59:13.032 Disk 0 MBR scan
13:59:13.032 Disk 0 Windows XP default MBR code
13:59:13.042 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20002 MB offset 63
13:59:13.042 Disk 0 Partition - 00 0F Extended LBA 94460 MB offset 40965750
13:59:13.083 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 29996 MB offset 40965813
13:59:13.083 Disk 0 Partition - 00 05 Extended 29996 MB offset 102398310
13:59:13.113 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 29996 MB offset 102398373
13:59:13.113 Disk 0 Partition - 00 05 Extended 34467 MB offset 225263430
13:59:13.143 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 34467 MB offset 163830933
13:59:13.153 Disk 0 scanning sectors +234420480
13:59:13.223 Disk 0 scanning C:\WINDOWS\system32\drivers
13:59:31.379 Service scanning
13:59:43.907 Modules scanning
13:59:52.429 Disk 0 trace - called modules:
13:59:52.459 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS NDIS.sys iwca.sys
13:59:52.469 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x857cc030]
13:59:52.479 3 CLASSPNP.SYS[f766005b] -> nt!IofCallDriver -> \Device\0000007c[0x857ced80]
13:59:52.489 5 ACPI.sys[f75b6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x857448e8]
13:59:52.499 Scan finished successfully
14:00:09.253 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\sfvb\Desktop\MBR.dat"
14:00:09.263 The log file has been saved successfully to "C:\Documents and Settings\sfvb\Desktop\aswMBR.txt"


OTL

OTL logfile created on: 03/07/2012 14:02:51 - Run 2
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Documents and Settings\sfvb\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

494.42 Mb Total Physical Memory | 201.81 Mb Available Physical Memory | 40.82% Memory free
1.13 Gb Paging File | 0.69 Gb Available in Paging File | 61.17% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.53 Gb Total Space | 9.18 Gb Free Space | 47.00% Space Free | Partition Type: NTFS
Drive D: | 29.29 Gb Total Space | 6.76 Gb Free Space | 23.08% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 6.33 Gb Free Space | 21.61% Space Free | Partition Type: NTFS
Drive F: | 33.66 Gb Total Space | 8.19 Gb Free Space | 24.33% Space Free | Partition Type: NTFS

Computer Name: SF2 | User Name: sfvb | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\BaiduPlayer.exe (Baidu Inc.)
PRC - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\BaiduP2PService.exe (Baidu.com, Inc.)
PRC - C:\Documents and Settings\sfvb\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe ()
PRC - C:\Program Files\AVG Secure Search\vprot.exe ()
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\1XConfig.exe (Intel)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\libUI.dll ()
MOD - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\zlib1.dll ()
MOD - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\BDPlayer.dll ()
MOD - C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\clientstat.dll ()
MOD - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe ()
MOD - C:\Program Files\AVG Secure Search\vprot.exe ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\Intel\Wireless\Bin\D8021Xps.DLL ()


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (vToolbarUpdater10.2.0) -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe ()
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (aswMBR) -- C:\Documents and Settings\sfvb\Local Settings\Temp\aswMBR.sys ()
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (WinDriver) -- C:\WINDOWS\system32\drivers\windrvr.sys (KRFTech)
DRV - (hwdatacard) -- C:\WINDOWS\system32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (STAC97) Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\stac97.sys (SigmaTel, Inc.)
DRV - (w29n51) Intel® -- C:\WINDOWS\system32\drivers\w29n51.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (IWCA) -- C:\WINDOWS\system32\drivers\iwca.sys (Intel Corporation)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (tifm) -- C:\WINDOWS\system32\drivers\tifm.sys (Texas Instruments)
DRV - (HSFHWICH) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (OMCI) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search...p={searchTerms}


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKU\.DEFAULT\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...e}&iy=&ychte=us
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKU\S-1-5-18\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...e}&iy=&ychte=us
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=en&source=iglk
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enCN370
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...e}&iy=&ychte=us
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Baidu Search"
FF - prefs.js..browser.search.selectedEngine: "Baidu Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.co...rce=gapg&hl=en"
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:10.0.0.1209
FF - prefs.js..extensions.enabledItems: [email protected]:6.010.023.001
FF - prefs.js..keyword.URL: "http://isearch.avg.c...8:24&sap=ku&q="
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@baidu.com/npxbdyy: C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\npxbdyy.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@pptv.com/plugin: C:\Program Files\Internet Explorer\PPLite\plugin\npplugin2.dll (PPLive Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.709: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.709: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.709: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/14 12:45:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AutocompletePro\[email protected]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/07 11:49:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Documents and Settings\All Users\Application Data\AVG Secure Search\10.2.0.3\ [2012/03/15 09:26:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/01 08:12:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/03 13:29:03 | 000,000,000 | ---D | M]

[2010/04/07 13:40:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Extensions
[2012/06/30 19:29:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\extensions
[2012/06/26 14:20:50 | 000,000,000 | ---D | M] (BitTorrentBar Community Toolbar) -- C:\Documents and Settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
[2012/06/28 08:38:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/30 22:12:14 | 000,000,000 | ---D | M] (Click to call with Skype) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2012/03/15 09:26:22 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AVG SECURE SEARCH\10.2.0.3
[2011/04/29 01:51:41 | 000,191,192 | ---- | M] () (No name found) -- C:\DOCUMENTS AND SETTINGS\SFVB\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\CUQO6FDJ.DEFAULT\EXTENSIONS\[email protected]
[2012/07/01 08:12:32 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/06/28 08:38:11 | 000,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/03/15 09:23:38 | 000,003,766 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/06/28 08:38:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/28 08:38:11 | 000,000,935 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/06/28 08:38:11 | 000,001,166 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/06/28 08:38:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/06/28 08:38:11 | 000,001,121 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [kwmusic] "C:\Program Files\KWMUSIC\Kwmusic.exe" /autorun File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vProt] C:\Program Files\AVG Secure Search\vprot.exe ()
O4 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003..\Run: [BaiduMEDIA] C:\Program Files\Baidu\BaiduPlayer\1.14.0.132\Baiduplayer.exe (Baidu Inc.)
O4 - Startup: C:\Documents and Settings\sfvb\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} https://site.cmbchin...oad/CMBEdit.cab (Edit Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {9701758C-4373-482E-B13C-776C048EC890} http://xmp.down.sand...ankanPlayer.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 114.64.255.146 219.141.136.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E21A50FD-326F-46B7-90B0-CED202A1549F}: DhcpNameServer = 114.64.255.146 219.141.136.10
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\sfvb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\sfvb\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/03/12 23:15:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/07/02 14:32:29 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/03/13 13:44:31 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/07/03 13:55:19 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\sfvb\Desktop\aswMBR.exe
[2012/07/03 13:45:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/07/03 13:44:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/07/03 13:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/07/03 13:38:52 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\sfvb\Desktop\erunt-setup.exe
[2012/07/03 10:34:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\BaiduPlayer
[2012/07/02 21:57:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sfvb\Application Data\CometPlayer
[2012/07/02 14:32:29 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2012/06/28 08:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/06/28 08:38:43 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/06/26 20:54:41 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sfvb\Desktop\OTL.exe
[2012/06/22 12:14:57 | 000,684,288 | ---- | C] (RealNetworks, Inc.) -- C:\Documents and Settings\sfvb\Desktop\RealPlayer2012.exe
[2012/06/17 10:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Kingsoft
[2010/12/02 15:54:40 | 043,658,352 | ---- | C] (DivX, Inc.) -- C:\Program Files\DivXInstaller.exe
[2010/12/02 15:12:11 | 011,873,890 | ---- | C] (Audacity Team ) -- C:\Program Files\audacity-win-unicode-1.3.12.exe
[2010/06/21 10:04:29 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmmdm.sys
[2010/06/21 10:04:29 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmserd.sys
[2010/06/21 10:04:29 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmbus.sys
[2010/06/21 10:04:29 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmmdfl.sys
[2010/06/21 10:04:29 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmcmnt.sys
[2010/06/21 10:04:29 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmwhnt.sys
[2010/06/21 10:04:29 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\sfvb\mqdmcr.sys
[2010/06/21 10:04:28 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\sfvb\usbsermptxp.sys
[2010/06/21 10:04:28 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\sfvb\usbsermpt.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/03 14:02:00 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\WpsUpdateTask_sfvb.job
[2012/07/03 14:00:09 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\MBR.dat
[2012/07/03 13:58:25 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\sfvb\Desktop\aswMBR.exe
[2012/07/03 13:45:10 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\sfvb\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/03 13:44:52 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\NTREGOPT.lnk
[2012/07/03 13:44:52 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\ERUNT.lnk
[2012/07/03 13:39:09 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\sfvb\Desktop\erunt-setup.exe
[2012/07/03 13:36:35 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
[2012/07/03 13:36:28 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
[2012/07/03 13:35:49 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/03 13:35:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/03 13:28:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/03 13:19:55 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/03 12:38:55 | 000,000,138 | ---- | M] () -- C:\WINDOWS\vsfilter.INI
[2012/07/03 10:34:47 | 000,000,945 | ---- | M] () -- C:\Documents and Settings\sfvb\Application Data\Microsoft\Internet Explorer\Quick Launch\BaiduPlayer.lnk
[2012/07/03 10:34:47 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BaiduPlayer.lnk
[2012/07/03 10:33:14 | 015,519,888 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\BaiduPlayer1.14.0.132.exe
[2012/07/03 09:16:57 | 100,998,345 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/07/03 09:10:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/02 22:39:24 | 000,004,118 | ---- | M] () -- C:\Documents and Settings\sfvb\funshion.ini
[2012/07/02 22:18:44 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\sfvb\Application Data\coreavc.ini
[2012/07/02 14:21:51 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\Flash_Disinfector.exe
[2012/06/29 17:15:27 | 000,178,292 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/06/28 17:44:27 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\sfvb\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2012/06/28 11:09:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/26 20:54:46 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sfvb\Desktop\OTL.exe
[2012/06/22 13:28:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/22 12:15:02 | 000,684,288 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\sfvb\Desktop\RealPlayer2012.exe
[2012/06/17 17:26:49 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/06/11 16:56:39 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\sfvb\Desktop\Microsoft Office Word 2003.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/03 14:00:09 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\MBR.dat
[2012/07/03 13:45:10 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\sfvb\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2012/07/03 13:44:52 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\NTREGOPT.lnk
[2012/07/03 13:44:52 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\ERUNT.lnk
[2012/07/03 10:34:47 | 000,000,945 | ---- | C] () -- C:\Documents and Settings\sfvb\Application Data\Microsoft\Internet Explorer\Quick Launch\BaiduPlayer.lnk
[2012/07/03 10:34:47 | 000,000,927 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BaiduPlayer.lnk
[2012/07/03 10:33:06 | 015,519,888 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\BaiduPlayer1.14.0.132.exe
[2012/07/02 14:21:51 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\sfvb\Desktop\Flash_Disinfector.exe
[2012/05/17 16:26:37 | 000,000,305 | ---- | C] () -- C:\WINDOWS\System32\bdsecushr.dat
[2012/05/16 20:54:54 | 000,000,138 | ---- | C] () -- C:\WINDOWS\vsfilter.INI
[2012/04/28 15:04:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2012/01/07 03:03:10 | 000,017,408 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\WebpageIcons.db
[2012/01/06 23:40:07 | 000,103,784 | ---- | C] () -- C:\Documents and Settings\sfvb\GoToAssistDownloadHelper.exe
[2011/12/30 11:34:24 | 000,000,911 | ---- | C] () -- C:\Documents and Settings\sfvb\Application Data\coreavc.ini
[2011/06/15 20:18:44 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\drvinst.exe
[2011/06/15 20:18:19 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\nmocod.dll
[2011/02/27 16:32:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\prvlcl.dat
[2010/11/09 17:05:50 | 000,004,118 | ---- | C] () -- C:\Documents and Settings\sfvb\funshion.ini
[2010/11/09 17:05:50 | 000,001,081 | ---- | C] () -- C:\WINDOWS\System32\funshion.ini
[2010/07/16 03:32:29 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\fusioncache.dat
[2010/07/16 03:21:29 | 000,000,157 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2010/07/16 03:20:42 | 000,000,840 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2010/07/16 03:16:07 | 000,128,786 | ---- | C] () -- C:\WINDOWS\hppins02.dat
[2010/07/16 03:16:06 | 000,001,883 | ---- | C] () -- C:\WINDOWS\hppmdl02.dat
[2010/07/09 01:31:49 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/21 10:18:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem20.PNF
[2010/06/21 10:18:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem17.PNF
[2010/06/21 10:18:53 | 000,012,420 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem16.PNF
[2010/06/21 10:18:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem20.inf
[2010/06/21 10:18:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem17.inf
[2010/06/21 10:18:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem18.PNF
[2010/06/21 10:18:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem19.PNF
[2010/06/21 10:18:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem18.inf
[2010/06/21 10:18:53 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\sfvb\1277086733-(null)
[2010/06/21 10:18:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem19.inf
[2010/06/21 10:18:52 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem13.PNF
[2010/06/21 10:18:52 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem14.PNF
[2010/06/21 10:18:52 | 000,012,794 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem15.PNF
[2010/06/21 10:18:52 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\sfvb\1277086732-(null)
[2010/06/21 10:18:52 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem15.inf
[2010/06/21 10:18:52 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\sfvb\Copy of oem14.inf
[2010/06/21 10:04:29 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_MDM.INF
[2010/06/21 10:04:29 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_MOT_BRIT.INF
[2010/06/21 10:04:29 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_BUS.INF
[2010/06/21 10:04:29 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\sfvb\USBMOT2000XP.INF
[2010/06/21 10:04:29 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_MOT_A1000.INF
[2010/06/21 10:04:29 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\sfvb\MCCI_SDM.INF
[2010/06/21 10:04:28 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\sfvb\USBMOT2000.INF
[2010/06/21 10:04:28 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\sfvb\USB_CMCS_2000.INF
[2010/03/25 20:17:11 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\sfvb\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/14 16:26:19 | 000,000,406 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2004/08/04 20:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2004/08/04 20:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SERVICES >
[2004/08/04 20:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.EXE >
[2004/08/04 20:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\system32\dllcache\services.exe
[2004/08/04 20:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\system32\services.exe

< MD5 for: SERVICES.LNK >
[2012/01/07 01:57:44 | 000,001,602 | ---- | M] () MD5=0CC6F86632F32F30EB8B9C798A90D181 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MSC >
[2004/08/04 20:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2004/08/04 20:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2004/08/04 20:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 20:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004/08/04 20:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 20:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2004/08/04 20:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe

========== Files - Unicode (All) ==========
[2012/04/24 14:13:23 | 000,000,981 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS演示.lnk
[2012/04/24 14:13:23 | 000,000,981 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS文字.lnk
[2012/04/24 14:13:23 | 000,000,981 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS演示.lnk
[2012/04/24 14:13:23 | 000,000,966 | ---- | M] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS表格.lnk
[2012/04/24 14:13:23 | 000,000,966 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS表格.lnk
[2012/04/24 14:13:22 | 000,000,981 | ---- | C] ()(C:\Documents and Settings\All Users\Desktop\WPS??.lnk) -- C:\Documents and Settings\All Users\Desktop\WPS文字.lnk
(C:\Documents and Settings\All Users\Start Menu\Programs\WPS Office ???) -- C:\Documents and Settings\All Users\Start Menu\Programs\WPS Office 个人版

========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >
  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Trust you are well.

Fine thank you for asking.

A most concise update and I thank you for that, anyway lets proceed as follows shall we...

Next:

Please delete your current version of OTL.exe and download the updated version to your desktop from here.

FixPolicies:

Please download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from here.

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box should briefly appear and then close.
  • Leave FixPolicies on your desktop please until I otherwise advise, thank you.
Custom OTL Script:

  • Double-click on OTL.exe to start the program.
  • Copy the lines from the quote-box(do not copy the word quote) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-790525478-1677128483-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [kwmusic] "C:\Program Files\KWMUSIC\Kwmusic.exe" /autorun File not found
O4 - Startup: C:\Documents and Settings\sfvb\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {9701758C-4373-482E-B13C-776C048EC890} http://xmp.down.sand...ankanPlayer.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell - "" = AutoRun
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\Shell\AutoRun\command - "" = H:\VMC_PBStarter.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

:Files
ipconfig /flushdns /c

:Commands
[Purity]
[ResetHosts]
[EmptyTemp]
[Reboot]

  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

Note: The below scan may take quite some time since there are four drives to be scanned.

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
When the program loads, Decline the Malwarebytes' Anti-Malware Trial (You can activate this when we've finished, if you so wish)
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked apart from anything that may be detected in the C:\System Volume Information folder, then click on Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:

  • Launch Malwarebytes' Anti-Malware
  • Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.

  • 0

#9
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi Dakeyras

Right Followed your instructions.

Only Hassel I has was with Malwarebytes' Anti-Malware, i could not download from the link you provided so I went to the company webage and downloaded it from there. (hope thats ok)

Below the the reports (i see there is still funshion however I removed that but I see in the Malwarebytes' Anti-Malware report its still there, also Alot from baidu player - i thought that was a great player to use from a reputable website (baidu.com)????

PC seem better although I still get the
8.1 I still get a box opening stating Justin time debugging (new instance of microsoft Script editor)
8.2 I still get red x on IE so I downloaded Firfox (so I can see this website properly)

also I did as you stated with the "Be sure that everything is checked apart from anything that may be detected in the C:\System Volume Information folder, then click on Remove Selected.", there were a few all funchion related


but when I run IE I only see one in the task manager box which Is good.

OTL Report

All processes killed
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-790525478-1677128483-1343024091-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\kwmusic deleted successfully.
C:\Documents and Settings\sfvb\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk moved successfully.
C:\Program Files\ERUNT\AUTOBACK.EXE moved successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {41564D57-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{41564D57-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41564D57-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {9701758C-4373-482E-B13C-776C048EC890}
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\KankanPlayer.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9701758C-4373-482E-B13C-776C048EC890}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9701758C-4373-482E-B13C-776C048EC890}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9701758C-4373-482E-B13C-776C048EC890}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9701758C-4373-482E-B13C-776C048EC890}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6a547d50-9bb3-11df-910f-0013ce38b6e1}\ not found.
File H:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a0-9e6f-11df-9116-0013ce38b6e1}\ not found.
File H:\VMC_PBStarter.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{757188a1-9e6f-11df-9116-0013ce38b6e1}\ not found.
File H:\VMC_PBStarter.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784020-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784020-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784020-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784020-9bff-11df-9115-0013ce38b6e1}\ not found.
File H:\VMC_PBStarter.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784021-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784021-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7784021-9bff-11df-9115-0013ce38b6e1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b7784021-9bff-11df-9115-0013ce38b6e1}\ not found.
File H:\VMC_PBStarter.exe not found.
C:\WINDOWS\E220AutoRunLog.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\ConduitEngine.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\drivers\OLD4D.tmp deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4 deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\sfvb\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\sfvb\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 38652 bytes
->Flash cache emptied: 41620 bytes

User: All Users

User: Default User
->Temp folder emptied: 96 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 38784 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 377635 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4078689 bytes

User: sfvb
->Temp folder emptied: 321628 bytes
->Temporary Internet Files folder emptied: 193754821 bytes
->Java cache emptied: 561665 bytes
->FireFox cache emptied: 105019129 bytes
->Flash cache emptied: 1109504 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 944811 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 108124227 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 679316 bytes

Total Files Cleaned = 396.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07032012_214040

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF3E3A.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF3EFA.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4050.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF405D.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4181.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4223.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DFF3E5.tmp not found!
File\Folder C:\Documents and Settings\sfvb\Local Settings\Temp\~DFF7CB.tmp not found!
C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\Content.IE5\YPN95GSU\page__p__2173348[2].htm moved successfully.
C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

PendingFileRenameOperations files...
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF3E3A.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF3EFA.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4050.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF405D.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4181.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DF4223.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DFF3E5.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temp\~DFF7CB.tmp not found!
File C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\Content.IE5\YPN95GSU\page__p__2173348[2].htm not found!
File C:\Documents and Settings\sfvb\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat not found!

Registry entries deleted on Reboot...
  • 0

#10
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

If you could post the actual Malwarebytes' Anti-Malware log for my review that would be great. Then once I have reviewed it I will in turn answer your questions and provide further instructions, thank you.
  • 0

Advertisements


#11
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi I could have sworn that I posted the log, sorry about that (of all the things I miss, I miss my mind the most), here is the Mbam Log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.03.05

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
sfvb :: SF2 [administrator]

03/07/2012 22:03:04
mbam-log-2012-07-03 (22-03-04).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 301327
Time elapsed: 57 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\Software\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters|DhcpNameServer (Trojan.DNSChanger) -> Bad: (219.141.136.10) Good: () -> Quarantined and repaired successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E21A50FD-326F-46B7-90B0-CED202A1549F}|DhcpNameServer (Trojan.DNSChanger) -> Bad: (219.141.136.10) Good: () -> Quarantined and repaired successfully.

Folders Detected: 8
C:\Documents and Settings\All Users\Application Data\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu (PUP.Baidu) -> Delete on reboot.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer (PUP.Baidu) -> Delete on reboot.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\ClientStat (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\ClientStat\MainPath (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\hao123 (PUP.Baidu) -> Quarantined and deleted successfully.

Files Detected: 29
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0132912.exe (PUP.Funshion) -> No action taken.
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0132916.dll (PUP.Funshion) -> No action taken.
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0132918.dll (PUP.Funshion) -> No action taken.
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0132927.exe (PUP.Funshion) -> No action taken.
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0132932.exe (PUP.Funshion) -> No action taken.
C:\System Volume Information\_restore{B5315CF0-3057-4578-B37F-FEB8487C48D3}\RP589\A0133154.exe (PUP.Funshion) -> No action taken.
C:\WINDOWS\system32\funshion.ini (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\funshion.ini (PUP.Funshion) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\autoupdate.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\ba.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\bdupdate.exe (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\PlayFileNumber.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\Service.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\update.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\update.xml (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\BaiduPinyinSetup.exe.bdre (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\BaiduPinyinSetup.exe.bdtp (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\GuaGua3.2Setup0417_silence_2232.exe (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\BDYYDeleteList.xml (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\BDYYPlayList.xml (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\conf.db (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\lang.db (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\p2p.log (PUP.Baidu) -> Delete on reboot.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\P2PCfg.ini (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\RecentPlayList.xml (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\ClientStat\MainPath\statdata.xml (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu\BaiduPlayer\ClientStat\MainPath\statfailed.xml (PUP.Baidu) -> Quarantined and deleted successfully.

(end)
  • 0

#12
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Only Hassel I has was with Malwarebytes' Anti-Malware, i could not download from the link you provided so I went to the company webage and downloaded it from there. (hope thats ok)

Not a problem, most likely malware was hindering the actual link I provided.

Below the the reports (i see there is still funshion however I removed that but I see in the Malwarebytes' Anti-Malware report its still there, also Alot from baidu player - i thought that was a great player to use from a reputable website (baidu.com)????

The Funshion detections are actually infected System Restore points, which in itself is not that major a issue as even a infected one of the aforementioned can still be invoked if the need. However we will be flushing the actual System Restore points and creating a new clean one prior to the installation of XP Service Pack 3.

As for Baidu, further research has revealed it does indeed have undesirable characteristics that are deemed both a privacy and security risk all told. So overall it not something advisable to have installed on a machine.

Also if you intend to keep FireFox installed it might be a idea to use a different search engine. Though it does appear you do have a older version installed also:-

Mozilla Firefox 6.0.1

Which I was planning on advising you update but since you downloaded installed the latest version, merely uninstall the version above.

I could have sworn that I posted the log, sorry about that (of all the things I miss, I miss my mind the most),

No worries.

8.1 I still get a box opening stating Justin time debugging (new instance of microsoft Script editor)
8.2 I still get red x on IE so I downloaded Firfox (so I can see this website properly)

OK carry out the below and let myself know if that cured the issues mentioned(Reset IE8)...

Reset IE8:

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.
Note: Any add-ons will require to be reapplied after the above reset.

Check Hard Disk For Errors:

Press Start->Run, then copy/paste the following command into the box and press OK:

cmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"

A blank command window will open on your desktop, then close in a few minutes. This is normal.

A file icon named checkhd.txt should appear on your Desktop. Please post the contents of this file.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done.

If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • checkhd.txt
  • ComboFix Log.

  • 0

#13
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
Hi

Wow downloading combofix was a major issue, it simply would not download, but after about an hour and half I got it. For some reason IE was slow, and using yahoo was impossible (not sure if it was a problem with teh site).

Once I installed I ran as per instruction, as some point combo bluewindow opened and stated it could not connect to my internet, try again, i clicked yes, it tried to open microsoft wenpage but then said it could not but cotinued to scan.

Also not sure if this is important or not, my AVG (temporary disabled for 15 min (aximum time allowed) came back on about a minute before Combfix [bleep] down my pc.

Thank you for investigating baidu I will remove it.


Quote
8.1 I still get a box opening stating Justin time debugging (new instance of microsoft Script editor)
8.2 I still get red x on IE so I downloaded Firfox (so I can see this website properly)

8.1 Has not appeared again
8.2 I still have the red x (if I was using IE I would not seeDD REPLY OR PREVIEW POST but only red x)


As for the rest of the PC, its much better, just a few things Ive noticed

1. WHen I open a internet page, I get a strange line just below the tool bar and the top of the webpage- I have attached a pic of my screen shot- dnt know how to incorporate it in the actual reply except as attachment)
2, I notice every folder i open has a thumb.db is this normal - did not notice it before
3. If I look in window/system32 I notice hundred of files- is this normal, many have same name

thanks

below ALL attachments this time :blush:

CHECKED HD

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
CHKDSK is verifying indexes (stage 2 of 3)...
CHKDSK is recovering lost files.
CHKDSK is verifying security descriptors (stage 3 of 3)...
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

20482843 KB total disk space.
11021360 KB in 32713 files.
15760 KB in 4372 indexes.
4 KB in bad sectors.
178067 KB in use by the system.
65536 KB occupied by the log file.
9267652 KB available on disk.

4096 bytes in each allocation unit.
5120710 total allocation units on disk.
2316913 allocation units available on disk.

COMBOFIX

ComboFix 12-07-04.03 - sfvb 04/07/2012 23:21:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.494.111 [GMT 8:00]
Running from: c:\documents and settings\sfvb\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\boost_interprocess\20120704070322.500000
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\sfvb\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\655368
c:\windows\Downloaded Program Files\655368\SetupAx.dll
c:\windows\gsyspd.log
c:\windows\iun6002.exe
c:\windows\msgpi.log
c:\windows\syspd.log
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\2cc016583293fe41.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\de5b493a8c1ebfb0.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f67790186a573aef.fb
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Legacy_WINDRIVER
-------\Service_usnjsvc
-------\Service_WinDriver
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-04 02:24 . 2012-07-04 02:52 -------- d-----w- c:\documents and settings\sfvb\Application Data\TigerPlayer
2012-07-03 23:05 . 2012-07-04 13:30 -------- d-----w- C:\baidu player
2012-07-03 23:05 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Baidu
2012-07-03 23:05 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\sfvb\Application Data\Baidu
2012-07-03 14:00 . 2012-07-03 14:00 -------- d-----w- c:\documents and settings\sfvb\Application Data\Malwarebytes
2012-07-03 13:59 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-03 13:59 . 2012-07-03 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-03 13:59 . 2012-04-04 07:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40 . 2012-07-03 13:40 -------- d-----w- C:\_OTL
2012-07-03 05:44 . 2012-07-03 05:45 -------- d-----w- c:\program files\ERUNT
2012-07-02 13:57 . 2012-07-02 13:57 -------- d-----w- c:\documents and settings\sfvb\Application Data\CometPlayer
2012-07-01 00:12 . 2012-07-01 00:12 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-01 00:12 . 2012-07-01 00:12 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-28 00:38 . 2012-07-01 10:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-28 00:38 . 2012-07-01 00:12 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-06-28 00:38 . 2012-07-01 00:12 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-06-28 00:38 . 2012-07-01 00:12 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-06-28 00:38 . 2012-07-01 00:12 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-06-17 02:02 . 2012-06-17 02:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\Kingsoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 08:14 . 2010-12-02 07:54 43658352 ----a-w- c:\program files\DivXInstaller.exe
2010-12-02 07:12 . 2010-12-02 07:12 11873890 ----a-w- c:\program files\audacity-win-unicode-1.3.12.exe
2012-07-01 00:12 . 2011-04-28 16:59 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-15 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduMEDIA"="c:\program files\Baidu\BaiduPlayer\1.14.0.132\BaiduPlayer.exe" [2012-07-02 2827728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-15 982880]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Baidu\\BaiduPlayer\\1.14.0.132\\BaiduP2PService.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Baidu\\BaiduPlayer\\bdupdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 01:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 06:30 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/10/2011 06:23 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 01:14 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [15/03/2012 09:24 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 01:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 01:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [04/10/2011 06:21 16720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13/03/2010 11:54 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [13/03/2010 11:54 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [28/06/2012 08:38 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 03:54]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 03:54]
.
2012-07-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 14:09]
.
2012-07-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 14:09]
.
2012-07-04 c:\windows\Tasks\WpsUpdateTask_sfvb.job
- c:\program files\Kingsoft\WPS Office Personal\office6\wpsupdate.exe [2012-04-24 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 114.64.255.146 219.141.136.10
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
FF - ProfilePath - c:\documents and settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\
FF - prefs.js: browser.search.selectedEngine - Baidu Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gapg&hl=en
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Ba97c489d-dac3-45f6-9855-9d8888d33dbb%7D&mid=7a908b63de9ffc44c2b2dcfdbe7de637-42f7dce6a13349c0a677066975fc79271fcbfd97&ds=AVG&v=10.2.0.3&lang=en&pr=fr&d=2012-02-07%2011%3A48%3A24&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\sfvb\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 23:33
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3776)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Baidu\BaiduPlayer\1.14.0.132\BaiduP2PService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-04 23:38:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 15:38
.
Pre-Run: 9,391,423,488 bytes free
Post-Run: 9,283,411,968 bytes free
.
- - End Of File - - 1BC49DFE4BE8837D462FCDF85B891258
  • 0

#14
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

My sincere apologies for the delay...

Wow downloading combofix was a major issue, it simply would not download, but after about an hour and half I got it. For some reason IE was slow, and using yahoo was impossible (not sure if it was a problem with teh site).

Possibly, though could be due a combination of malware and the ISP you are currently using for example. The latter may just not like some of the tools I have been asking your good self to download.

Once I installed I ran as per instruction, as some point combo bluewindow opened and stated it could not connect to my internet, try again, i clicked yes, it tried to open microsoft wenpage but then said it could not but cotinued to scan.

Not good as it was ComboFix attempting to download the requisite file so in turn the Recovery Console could be installed. Not to worry we will employ a different methodology to do so.

Also not sure if this is important or not, my AVG (temporary disabled for 15 min (aximum time allowed) came back on about a minute before Combfix [bleep] down my pc.

Not a problem, though if the need we can always temp fully uninstall then reinstall etc.

Thank you for investigating baidu I will remove it.

You're welcome and aye it would be prudent to do so.

WHen I open a internet page, I get a strange line just below the tool bar and the top of the webpage- I have attached a pic of my screen shot- dnt know how to incorporate it in the actual reply except as attachment)

No attachment added to your post I'm afraid.

I notice every folder i open has a thumb.db is this normal - did not notice it before
If I look in window/system32 I notice hundred of files- is this normal, many have same name

Not a problem either, when we actually get around to uninstalling ComboFix, all will be hidden again.

Router Advice:

If you are using a Router, it would be prudent now to actually perform a factory reset on that and apply a new admin password to ensure it is secure etc.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Install the Recovery Console with ComboFix:

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console installed...

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: Download/use the Windows XP Professional SP2 package.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
Posted Image

  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix2.txt in your next reply.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • New Malwarebytes Anti-Malware Log.
  • New ComboFix Log..

  • 0

#15
evolutionpill

evolutionpill

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 127 posts
HI Dakeryas

First, no need to apologise, Im just thankful you and this website exist to assist us, and you guys give ur time selflessly to help the public (you also have a life)

ok.

done all you said, a few problems, and one major screw up(on my side)

1. Could not open the icrosoft site and download the recovery console, site would not open, eventuall took 15 min to half open page (see attachment "odd Webpage line")but no download option.

2. Did combo fix and also it tried to download the program at microsoft and same thing as last time (could not do it) but continued scan (log included)

3. Will have friend come over tonight to help me reset route ( i dare not touch that)

4. Ive deleted Baidu but see some files still appear.


4. Attaching a Print screen.png microsoft page1.jpg second page shows the microsoft page, and also all the red x I still get on IE.



The PC seems to be running well, the only problem is with the internet sites espcially IE ( IE has become slow, red x's, using yahoo or google takes ages)

AND NOW FOR MY SCREW UP..... Ive been using firefox (because of issue with IE) so when u recomended I update Firefox, the site also suggested that I update it and also up date JAVA V7 update5 ( I remembered u mentioned something about being cautious about Java) so I downloaded it but did not run until u said I should......but... then I uninstalled firefox so I could run the new one (Firfix 13.1) but now when I try run firefox it wants to install it in chinese, I have down load different one ( english _uk, English US, English south african) but everytime I run it go chinese, so now I dont have Firefox and IE is not working properly.

Lastly few things Ive noticed not sure if its important or not, or its normal part of our processes...

in C drive I cannot find combofix but have noticed a number of other folder/files such as Qoobox Auotexe.bat, boot.ini. config.sys,io.sys, msdoc.sys, ntdetect.com, ntldr.

Combo Fix

ComboFix 12-07-04.03 - sfvb 04/07/2012 23:21:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.494.111 [GMT 8:00]
Running from: c:\documents and settings\sfvb\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\boost_interprocess\20120704070322.500000
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\sfvb\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\655368
c:\windows\Downloaded Program Files\655368\SetupAx.dll
c:\windows\gsyspd.log
c:\windows\iun6002.exe
c:\windows\msgpi.log
c:\windows\syspd.log
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\2cc016583293fe41.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\de5b493a8c1ebfb0.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f67790186a573aef.fb
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USNJSVC
-------\Legacy_WINDRIVER
-------\Service_usnjsvc
-------\Service_WinDriver
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-07-04 02:24 . 2012-07-04 02:52 -------- d-----w- c:\documents and settings\sfvb\Application Data\TigerPlayer
2012-07-03 23:05 . 2012-07-04 13:30 -------- d-----w- C:\baidu player
2012-07-03 23:05 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Baidu
2012-07-03 23:05 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\sfvb\Application Data\Baidu
2012-07-03 14:00 . 2012-07-03 14:00 -------- d-----w- c:\documents and settings\sfvb\Application Data\Malwarebytes
2012-07-03 13:59 . 2012-07-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-03 13:59 . 2012-07-03 13:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-03 13:59 . 2012-04-04 07:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40 . 2012-07-03 13:40 -------- d-----w- C:\_OTL
2012-07-03 05:44 . 2012-07-03 05:45 -------- d-----w- c:\program files\ERUNT
2012-07-02 13:57 . 2012-07-02 13:57 -------- d-----w- c:\documents and settings\sfvb\Application Data\CometPlayer
2012-07-01 00:12 . 2012-07-01 00:12 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-07-01 00:12 . 2012-07-01 00:12 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-28 00:38 . 2012-07-01 10:12 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-06-28 00:38 . 2012-07-01 00:12 624608 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-06-28 00:38 . 2012-07-01 00:12 43488 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-06-28 00:38 . 2012-07-01 00:12 157608 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-06-28 00:38 . 2012-07-01 00:12 113120 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-06-17 02:02 . 2012-06-17 02:02 -------- d-----w- c:\documents and settings\LocalService\Application Data\Kingsoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 08:14 . 2010-12-02 07:54 43658352 ----a-w- c:\program files\DivXInstaller.exe
2010-12-02 07:12 . 2010-12-02 07:12 11873890 ----a-w- c:\program files\audacity-win-unicode-1.3.12.exe
2012-07-01 00:12 . 2011-04-28 16:59 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-03-15 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduMEDIA"="c:\program files\Baidu\BaiduPlayer\1.14.0.132\BaiduPlayer.exe" [2012-07-02 2827728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-03-15 982880]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 08:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Baidu\\BaiduPlayer\\1.14.0.132\\BaiduP2PService.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Baidu\\BaiduPlayer\\bdupdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 01:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 06:30 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/10/2011 06:23 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 01:14 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [15/03/2012 09:24 918880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 01:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 01:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [04/10/2011 06:21 16720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13/03/2010 11:54 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [13/03/2010 11:54 135664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [28/06/2012 08:38 113120]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 03:54]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 03:54]
.
2012-07-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 14:09]
.
2012-07-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-790525478-1677128483-1343024091-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 14:09]
.
2012-07-04 c:\windows\Tasks\WpsUpdateTask_sfvb.job
- c:\program files\Kingsoft\WPS Office Personal\office6\wpsupdate.exe [2012-04-24 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 114.64.255.146 219.141.136.10
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://site.cmbchina.com/download/CMBEdit.cab
FF - ProfilePath - c:\documents and settings\sfvb\Application Data\Mozilla\Firefox\Profiles\cuqo6fdj.default\
FF - prefs.js: browser.search.selectedEngine - Baidu Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gapg&hl=en
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Ba97c489d-dac3-45f6-9855-9d8888d33dbb%7D&mid=7a908b63de9ffc44c2b2dcfdbe7de637-42f7dce6a13349c0a677066975fc79271fcbfd97&ds=AVG&v=10.2.0.3&lang=en&pr=fr&d=2012-02-07%2011%3A48%3A24&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Cool's_Codec_pack_4.12 - c:\windows\iun6002.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\sfvb\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 23:33
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1124)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3776)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Baidu\BaiduPlayer\1.14.0.132\BaiduP2PService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-04 23:38:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 15:38
.
Pre-Run: 9,391,423,488 bytes free
Post-Run: 9,283,411,968 bytes free
.
- - End Of File - - 1BC49DFE4BE8837D462FCDF85B891258


MBAM LOG

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.06.03

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
sfvb :: SF2 [administrator]

06/07/2012 15:25:23
mbam-log-2012-07-06 (15-25-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210115
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters|DhcpNameServer (Trojan.DNSChanger) -> Bad: (219.141.136.10) Good: () -> Quarantined and repaired successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E21A50FD-326F-46B7-90B0-CED202A1549F}|DhcpNameServer (Trojan.DNSChanger) -> Bad: (219.141.136.10) Good: () -> Quarantined and repaired successfully.

Folders Detected: 2
C:\Documents and Settings\All Users\Application Data\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.
C:\Documents and Settings\sfvb\Application Data\Baidu (PUP.Baidu) -> Quarantined and deleted successfully.

Files Detected: 0
(No malicious items detected)

(end)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP