Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirection problem; tutorial didn't work [Closed]


  • This topic is locked This topic is locked

#1
ron26

ron26

    Member

  • Member
  • PipPipPip
  • 169 posts
Hello,

I'm having a browser search redirection issue. I use Firefox and when I click on something I've searched it takes me to an oddball site. The general functioning of my computer has been slow too since this bug occurred a few days ago.

I went through the Google Redirection tutorial and followed all of the steps. The scan didn't find anything. The only thing that seemed to change was that now sometimes the redirection, instead of just being a random, strange site is occasionally just the google.com page.

My operating system is Windows XP Pro Performance Edition.

I'll post the OTL logs next. Thank you for any assistance!

ron
  • 0

Advertisements


#2
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL log:

OTL logfile created on: 12/12/2012 4:13:25 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 10.03 Mb Available Physical Memory | 1.97% Memory free
1.22 Gb Paging File | 0.49 Gb Available in Paging File | 40.10% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 50.54 Gb Free Space | 71.54% Space Free | Partition Type: NTFS

Computer Name: RUSSO-DESKTOP | User Name: Ron (the merciful) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/12 16:03:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads\OTL.exe
PRC - [2012/12/10 15:14:00 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/11/22 03:34:06 | 011,146,360 | ---- | M] (SugarSync, Inc.) -- C:\Program Files\SugarSync\SugarSyncManager.exe
PRC - [2012/09/24 07:57:48 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/21 15:12:00 | 000,331,776 | ---- | M] (LunarFrog.com) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe
PRC - [2012/08/26 23:21:12 | 026,924,984 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/06/17 12:33:04 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/04/17 18:01:32 | 000,929,792 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
PRC - [2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/15 02:07:44 | 000,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/12 11:35:00 | 014,586,296 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
MOD - [2012/12/10 15:14:00 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/09/27 11:03:08 | 000,201,512 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2009/08/01 08:19:33 | 000,962,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\a4c5647e14a60542bdc6db025820565e\System.Configuration.ni.dll
MOD - [2009/08/01 08:16:09 | 005,640,192 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\1ae45140aef4a04f97a89e9de9a5a150\System.Xml.ni.dll
MOD - [2009/08/01 08:15:57 | 013,107,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ebb37c7195048f4db5fd159fe8a40b8e\System.Windows.Forms.ni.dll
MOD - [2009/08/01 08:15:31 | 001,626,112 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\e46253c941b1614fa7fb1936725a5029\System.Drawing.ni.dll
MOD - [2009/08/01 08:15:26 | 008,093,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\a1dc0e83bea70640a5173b104b3dd6c8\System.ni.dll
MOD - [2009/08/01 08:15:05 | 011,415,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\54365b3e4a73e1489c0e41df3600e683\mscorlib.ni.dll
MOD - [2009/04/03 15:32:10 | 000,110,592 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2008/06/20 11:02:47 | 000,245,248 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2007/07/12 10:11:54 | 001,163,264 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\acAuth.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/12/12 11:35:08 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/10 15:14:00 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/24 07:57:48 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/06/17 12:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/11/30 23:42:12 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/09/09 21:46:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2010/11/30 23:42:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/09/27 10:56:00 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/04/17 09:44:46 | 000,574,080 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/11/16 17:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 18:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 19:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/09/17 07:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.dailytao.org/"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/10 15:14:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/10 15:13:48 | 000,000,000 | ---D | M]

[2012/09/21 15:07:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Extensions
[2012/10/23 14:04:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ron (the merciful)\Application Data\Mozilla\Firefox\Profiles\qdu253mj.default\extensions
[2012/12/10 15:13:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/10 15:14:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/02/11 14:16:16 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/23 09:37:56 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/12/12 12:59:46 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKCU..\Run: [SugarSync] C:\Program Files\SugarSync\SugarSyncManager.exe (SugarSync, Inc.)
O4 - HKCU..\Run: [TaggedFrog] C:\Documents and Settings\Ron (the merciful)\Desktop\TaggedFrog_1.1\TaggedFrog.exe (LunarFrog.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1348506400799 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D114F58-451D-4319-BDEE-2E9108F2C8A0}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (C:\WINDOWS\SYSTEM32\RtlGina\RtlGina.DLL) - C:\WINDOWS\system32\RtlGina\RtlGina.dll (Realtek)
O24 - Desktop WallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ron (the merciful)\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/01 22:43:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/12/12 13:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Desktop\GooredFix Backups
[2012/12/12 12:59:08 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/12/12 12:34:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/12/12 11:41:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\My Documents\Dissertation Files
[2012/12/11 16:39:04 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ron (the merciful)\Recent
[2012/12/10 17:02:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ron (the merciful)\IECompatCache
[2012/12/10 15:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/11/28 11:26:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ron (the merciful)\PrivacIE
[2012/11/28 11:15:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ron (the merciful)\Desktop\HOTTness
[2012/11/19 13:31:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/11/19 09:52:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/11/19 09:51:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/11/17 11:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/11/17 11:44:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2012/12/12 16:13:13 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/12 16:09:43 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/12 16:09:41 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/12 16:09:15 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500UA.job
[2012/12/12 16:09:14 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500Core.job
[2012/12/12 15:33:10 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/12/12 14:06:51 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ron (the merciful)\Desktop\TDSSKiller.exe
[2012/12/12 13:55:26 | 000,398,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/12 13:55:26 | 000,061,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/12 13:53:45 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2012/12/12 13:50:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/12 13:50:40 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/12 12:31:34 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/11 15:56:08 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2012/12/11 09:35:53 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/07 09:12:09 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/12/06 16:12:39 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\Magic Briefcase.lnk
[2012/11/16 16:19:42 | 000,171,461 | ---- | M] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\wilt hugh arnold.jpg

========== Files Created - No Company Name ==========

[2012/12/12 12:31:34 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\NTREGOPT.lnk
[2012/12/12 12:31:34 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\ERUNT.lnk
[2012/12/07 09:12:15 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Windows Media Player.lnk
[2012/12/07 09:12:08 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/11/16 16:19:41 | 000,171,461 | ---- | C] () -- C:\Documents and Settings\Ron (the merciful)\Desktop\wilt hugh arnold.jpg
[2012/09/24 12:46:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/09/24 11:39:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/03/16 14:19:03 | 000,068,964 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2011/03/16 14:19:03 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat

========== ZeroAccess Check ==========

[2012/11/17 11:38:45 | 000,002,048 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\@
[2012/11/17 11:38:45 | 000,028,672 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\n
[2012/12/06 10:28:05 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\L
[2012/12/06 15:55:25 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U
[2012/12/12 13:51:19 | 000,000,804 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\L\[email protected]
[2012/11/17 11:39:09 | 000,002,048 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U\[email protected]
[2012/11/17 11:39:30 | 000,232,960 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U\[email protected]
[2012/11/17 11:39:09 | 000,001,632 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U\[email protected]
[2012/11/17 11:39:09 | 000,011,776 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U\[email protected]
[2012/12/06 15:55:25 | 000,091,136 | ---- | M] () -- C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U\[email protected]
[2009/08/01 08:14:07 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[2012/12/12 13:51:18 | 000,005,120 | -HS- | M] () -- C:\WINDOWS\assembly\GAC\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = C:\RECYCLER\S-1-5-21-436374069-484061587-1606980848-1002\$ece80eef67e5086040826bd6ece4f7ca\n. -- File not found

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/26 18:41:42 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\n. -- [2012/11/17 11:38:45 | 000,028,672 | -HS- | M] ()
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 22:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/07/11 09:31:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2012/09/21 15:12:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LunarFrog
[2009/08/06 01:29:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2009/08/06 01:05:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2011/06/12 09:23:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2009/07/02 15:39:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2012/12/12 13:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ron (the merciful)\Application Data\Dropbox

========== Purity Check ==========



< End of report >
  • 0

#3
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL Extras logfile created on: 12/12/2012 4:13:25 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Ron (the merciful)\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 10.03 Mb Available Physical Memory | 1.97% Memory free
1.22 Gb Paging File | 0.49 Gb Available in Paging File | 40.10% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 50.54 Gb Free Space | 71.54% Space Free | Partition Type: NTFS

Computer Name: RUSSO-DESKTOP | User Name: Ron (the merciful) | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1CE60928-8325-49A8-8B06-633E48DD2B67}" = Cisco Systems VPN Client 5.0.07.0410
"{224DEB1E-3DA2-4A5B-B3D1-2CB54C73EDD9}" = Reasonable NoClone 2007 Home
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{331F15D5-490D-4280-BDE6-5C0F295D8EE1}" = Rosetta Stone Homeschool
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}" = upapp
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}" = Roxio Media Manager
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{75D6745B-2239-4182-A31F-F95CEBB35099}" = BlackBerry Desktop Software 4.2.2
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9C049499-055C-4a0c-A916-1D8CA1FF45EB}" = REALTEK 11n USB Wireless LAN Driver and Utility
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{DFD30824-6BD0-34E1-ABE8-308AD3CBB9A0}" = Google Talk Plugin
"{E30E7561-A466-4393-B8BF-FD93E733EF3C}" = Microsoft Office Live Meeting 2007
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"BBMediaSyncUninstall" = BlackBerry Media Sync
"BlackBerry_{75D6745B-2239-4182-A31F-F95CEBB35099}" = BlackBerry Desktop Software 4.2.2
"CmdOpen Shell Extension" = Open Command Prompt Shell Extension (x86-32)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"HashCheck Shell Extension" = HashCheck Shell Extension (x86-32)
"hp deskjet 5550 series" = hp deskjet 5550 series (Remove only)
"hp print screen utility" = hp print screen utility
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"iPowerHour_is1" = iPowerHour 3.01
"McAfee Security Scan" = McAfee Security Scan Plus
"Mendeley Desktop" = Mendeley Desktop 1.6
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MiniRingtone_is1" = MiniRingtone 1.5
"Mozilla Firefox 17.0.1 (x86 en-US)" = Mozilla Firefox 17.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenVPN" = OpenVPN 2.2-beta5
"Pidgin" = Pidgin
"PROSet" = Intel® PRO Network Adapters and Drivers
"PuTTY_is1" = PuTTY version 0.62
"Search Toolbar" = Search Toolbar
"SugarSync" = SugarSync Manager
"WavePad" = WavePad Sound Editor
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 20 Event Log Errors ==========

[ System Events ]
Error - 12/11/2012 11:01:49 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 11:01:49 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 11:17:20 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 11:17:20 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 11:17:20 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 3:03:40 PM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 3:03:43 PM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 3:04:30 PM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/11/2012 3:04:34 PM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.

Error - 12/12/2012 12:53:49 PM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.


< End of report >
  • 0

#4
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello ron, :wave: Welcome to the forums!
:welcome:. My name is godawgs and I will be assisting you with your Virus / Malware issues.

I will start working on your Malware issues. This may, or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine!

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.
If you have not, please adhere to the guidelines below and then carefully follow all future instructions:

You must reply to posts within four days. If you haven't replied within that time, the topic will be closed! If you need additional time to complete things, just let me know.
If you're not sure, or if something unexpected happens, Do NOT continue! Stop and ask!

This board can notify you when a new reply is added to a topic. Please read this topic to find out how to do that.

Please do not run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask, nothing extra. Do Not run things twice unless instructed.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • If I ask a Question just answer it, don't run anything unless directed to.
Please read every post completely before doing anything.
  • Pay special attention to the NOTE: lines, or anything in red. These entries identify an individual issue or important step in the cleanup process.
  • Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. Some of the steps I will be asking you to do may require you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
Logs from malware diagnostic or removal programs (OTL is one of them) can take some time to analyze.
  • I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes :lol: )
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.
In light of this be prepared to back up your data. Have means of backing up your data available.


Unfortunately you have a variant of the zero access rootkit.

:alarm:
Warning: One or more of the identified infections on your computer is known to use a backdoor!
These are information stealing trojans installed on your computer.
Backdoor Trojans, IRCBots, keyloggers and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

I would advise you to immediately disconnect this computer from the internet except when reading my posts, downloading the required tools and replying to this topic on this forum only.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following:
  • All passwords should be changed to include those used for banking, email, eBay, Facebook ect; and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
  • Banking and credit card institutions should be notified of the possible security breach.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.
Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall


We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.
  • 0

#5
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hi godawgs,

Thanks for getting back to me! I've printed the instructions out & also have another computer nearby so I can use that one and even save downloaded programs via there to a flash drive and run them on the infected computer. I'm going to disconnect it from the internet, as you suggested.

I'll also get to work on changing my passwords.

And, I had a virus a year or two ago and was helped by another "geek" so I'm confident in your support & while not a whiz, can at least follow instructions.

Thanks for your help, I'll wait for my next instructions.

ron
  • 0

#6
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi ron,

There are a couple of things I want to bring to your attention. The RAM on this computer is very low, even for Windows XP:

509.98 Mb Total Physical Memory | 10.03 Mb Available Physical Memory | 1.97% Memory free

We will address this after this machine is cleaned.

The OTL scan showed the following:

[ System Events ]
Error - 12/11/2012 11:01:49 AM | Computer Name = RUSSO-DESKTOP | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk1\D, has a bad block.


The malware could be the reason for this. If the bad block is still there after cleaning, we will look at that.

Last, but not least, I don't see an anti virus program running on the computer. We will address that once the main nasty is gone. If you do have an antivirus program running, please let me know what it is.

NOTE: I see that you have ERUNT on the computer. If you don't have it set up to automatically back the registry up I want you to run the program and back the registry up first thing, before any fixes are run.

Please download all of the files requested in each step to a flash drive on the good computer. Then transfer them to the desktop of the sick computer and run them from the desktop of the sick computer.


Step-1.

Malicious program uninstalls

1. Please click Start > Control Panel > Add/Remove Programs
2. In the list of programs installed, locate the following program(s):

Java™ 6 Update 24
Search Toolbar


3. Click on each program to highlight it and click Change/Remove.
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.

Delete the folders associated with the uninstalled programs.(Only do this if you uninstalled the program)

1. Using Windows Explorer (to get there right-click your Start button and click "Explore"), please delete the following folders(s) (if present):

C:\Program Files\Search Toolbar

2. Close Windows Explorer.


Step-2.

Posted Image OTL Fix

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]

:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
[2009/02/11 14:16:16 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)


:FILES
ipconfig /flushdns /c
C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca
C:\WINDOWS\assembly\GAC\Desktop.ini

:REG
[-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = "%systemroot%\system32\wbem\fastprox.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = DWORD:0

:COMMANDS
[emptytemp]


Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Please re-open Posted Image on your desktop.
3. Place the mouse pointer inside the Posted Image textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the Posted Image button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the Posted Image button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).


Step-3.

Posted Image Run ComboFix
***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications before downloading ComboFix. This is usually done via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

Download ComboFix from one of the following locations:

Link 1
Link 2

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Also allow the installation of the recovery console (XP only)

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
3. If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion". Please restart the computer. That will cure it.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Don't forget to reenable your Anti-Virus


Step-4.

Run aswMBR
  • Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe file to run it. (Windows /7 users: Right click the file and click Run as Administrator. If you get a UAC window, allow the file to run.
  • If it asks you if you want to download the latest virus definitions, click Yes
  • Click the "Scan" button to start the scan
    Posted Image
  • On completion of the scan click save log. Save it to your desktop and post in your next reply.
    Posted Image
NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename executable to iexplore.exe and try it again.


Step-5

Run Farbar Service Scanner

Please download Farbar Service Scanner to the desktop.
Doubleclick the FSS.exe file to run it. (Vista and 7 users may need to right click the file and click Run as Administrator)
  • Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Step-6.

Posted Image OTL Custom Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the Posted Image box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
qmgr.dll
services.*
consrv.dll
wshelper.dll
/md5stop
DRIVES
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
del c:\commands.txt^|y /hide /c
/wait
del c:\diskreport.txt^|y /hide /c


2. Re-open OTL on the desktop. To do that:
  • Double click on the Posted Image OTL icon to run it. (Vista / 7 Users:Right click on the icon and click Run as Administrator)
    Make sure all other windows are closed.
  • You will see a console like the one below:

    Posted Image
  • Check the box beside Scan All Users at the top of the console
  • DO NOT click the box beside Include 64bit Scans
  • Make sure the Output box at the top is set to Standard Output.
  • Place the mouse pointer inside thePosted Image box, right click and click Paste. This will put the above script inside OTL
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt. This file is also saved in the same location as OTL.
  • Please copy the contents of this file and paste it into your reply. To do that:
  • On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
  • Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.

Step-7.

Things For Your Next Post:
Please post the logs in the order requested. Do Not attach the logs unless I request it.
1. The OTL fixes log
2. The ComboFix log
3. The aswMBR log
4. The FSS.txt log
5. The new OTL.txt log
6. How is the computer running now?
  • 0

#7
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
C:\Program Files\Search Toolbar\SearchToolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{9D425283-D487-4337-BAB6-AB8354A81457} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
File C:\Program Files\Search Toolbar\SearchToolbar.dll not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U folder moved successfully.
C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\L folder moved successfully.
Folder move failed. C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca scheduled to be moved on reboot.
C:\WINDOWS\assembly\GAC\Desktop.ini moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32\\"" | "%systemroot%\system32\wbem\fastprox.dll" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\\"DisableSR" | DWORD:0 /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 4496 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2659478998 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 76750 bytes

User: Ron (the merciful)
->Temp folder emptied: 86349856 bytes
->Temporary Internet Files folder emptied: 704072 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 5362749 bytes
->Google Chrome cache emptied: 34072009 bytes
->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 46879095 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 122902052 bytes

Total Files Cleaned = 2,819.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 12152012_140217

Files\Folders moved on Reboot...
C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca\U folder moved successfully.
C:\RECYCLER\S-1-5-18\$ece80eef67e5086040826bd6ece4f7ca folder moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#8
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
I ran ComboFix on the ill computer via a flash drive. Downloaded and saved it to the FD on the healthy computer.

I received the following message:
"This machine does not have Microsoft Windows Recovery console...words,words, words...click Yes to have ComboFix download/install it. This requires an active internet connection."

I unplugged the ill computer from the internet, as instructed.

I'm guessing I should click yes BUT as this is a serious program I wanted to ask before proceeding.

Please advise. I'll wait to hear back from you.

Thank you! Ron
  • 0

#9
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
And, of course, please advise if I should reconnect to the internet on the ill computer or if there is a way around this...
  • 0

#10
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Yep, that's my bad on the ComboFix.

OTL killed the main nasty. You can reconnect the sick computer back to the internet and then run ComboFix and let it install the Windows Recovery Console.

Then complete the rest of the steps and post the logs.

Thank you.
  • 0

Advertisements


#11
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
ComboFix 12-12-14.01 - Ron (the merciful) 12/15/2012 17:24:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.120 [GMT -5:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\_ctypes.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\_elementtree.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\_hashlib.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\_socket.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\_ssl.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\pyexpat.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\pysqlite2._sqlite.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\python26.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\pythoncom26.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\PyWinTypes26.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\select.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\unicodedata.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32api.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32com.shell.shell.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32crypt.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32event.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32file.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32inet.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32pdh.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32process.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32profile.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32security.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\win32ts.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\windows._cacheinvalidation.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._controls_.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._core_.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._gdi_.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._html2.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._misc_.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._windows_.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wx._wizard.pyd
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxbase293u_net_vc.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxbase293u_vc.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxmsw293u_adv_vc.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxmsw293u_core_vc.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxmsw293u_html_vc.dll
c:\docume~1\RON(TH~1\LOCALS~1\Temp\_MEI26682\wxmsw293u_webview_vc.dll
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\_ctypes.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\_elementtree.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\_hashlib.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\_socket.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\_ssl.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\pyexpat.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\pysqlite2._sqlite.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\python26.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\pythoncom26.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\PyWinTypes26.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\select.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\unicodedata.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32api.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32com.shell.shell.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32crypt.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32event.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32file.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32inet.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32pdh.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32process.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32profile.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32security.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\win32ts.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\windows._cacheinvalidation.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._controls_.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._core_.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._gdi_.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._html2.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._misc_.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._windows_.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wx._wizard.pyd
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxbase293u_net_vc.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxbase293u_vc.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxmsw293u_adv_vc.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxmsw293u_core_vc.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxmsw293u_html_vc.dll
c:\documents and settings\Ron (the merciful)\Local Settings\Temp\_MEI26682\wxmsw293u_webview_vc.dll
C:\drvrtmp
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\msconfig.exe
c:\windows\SYSTEM32\RtlGina\RtlGina.DLL
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))
.
.
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\windows\system32\xircom
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\windows\system32\wbem\snmp
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\windows\system32\oobe
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\windows\srchasst
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\windows\msagent
2012-12-15 22:41 . 2012-12-15 22:41 -------- d-----w- c:\program files\microsoft frontpage
2012-12-13 19:59 . 2012-12-13 20:37 -------- d-----w- c:\documents and settings\Ron (the merciful)\Application Data\BitTorrent
2012-12-13 14:57 . 2012-12-13 15:23 -------- d-----w- c:\documents and settings\Ron (the merciful)\Local Settings\Application Data\Google
2012-12-12 17:59 . 2012-12-12 17:59 -------- d-----w- C:\_OTM
2012-12-12 17:31 . 2012-12-12 17:32 -------- d-----w- c:\program files\ERUNT
2012-12-10 22:02 . 2012-12-10 22:02 -------- d-sh--w- c:\documents and settings\Ron (the merciful)\IECompatCache
2012-11-28 16:26 . 2012-11-28 16:26 -------- d-sh--w- c:\documents and settings\Ron (the merciful)\PrivacIE
2012-11-19 14:51 . 2012-11-19 14:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-12 16:35 . 2012-09-24 12:55 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 16:35 . 2011-05-15 15:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 12:57 . 2012-09-24 12:58 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-24 12:57 . 2012-09-24 12:59 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-24 12:57 . 2011-02-18 19:43 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-24 12:57 . 2010-11-12 15:02 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 12:33 . 2012-09-24 12:33 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-13 21:55 . 2012-12-10 20:13 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2012-12-10 20:13 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2012-12-10 20:14 . 2012-12-10 20:13 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-11-08 21:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-11-08 21:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-11-08 21:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-11-08 21:58 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2012-11-22 08:29 382072 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2012-11-22 08:29 382072 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2012-11-22 08:29 382072 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2012-11-22 08:29 382072 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-15 176128]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-03-26 228088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\Ron (the merciful)\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-7-2 26868192]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-7-2 26868192]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe [2012-9-24 929792]
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2012-7-2 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [9/24/2012 7:33 AM 574080]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [6/17/2011 12:33 PM 237008]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - HELPSVC
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc52b315-0951-11df-9eaf-001320354b33}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-24 16:35]
.
2012-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]
.
2012-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-18 21:00]
.
2012-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-18 21:00]
.
2012-12-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 20:34]
.
2012-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-02 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-15 17:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\program files\SugarSync\SugarSyncShellExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-12-15 17:47:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-15 22:47
.
Pre-Run: 53,301,174,272 bytes free
Post-Run: 53,197,619,200 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
.
- - End Of File - - 82B60E0F29CF3DF524934B120BD2FC69
  • 0

#12
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2012-12-15 18:05:18
-----------------------------
18:05:18.765 OS Version: Windows 5.1.2600 Service Pack 3
18:05:18.765 Number of processors: 1 586 0x401
18:05:18.765 ComputerName: RUSSO-DESKTOP UserName: Administrator
18:05:19.718 Initialize success
18:14:12.843 AVAST engine defs: 12121502
18:18:58.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:18:58.312 Disk 0 Vendor: Maxtor_6Y080L0 YAR41BW0 Size: 76293MB BusType: 3
18:18:58.328 Disk 0 MBR read successfully
18:18:58.328 Disk 0 MBR scan
18:19:00.171 Disk 0 Windows XP default MBR code
18:19:00.218 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
18:19:01.296 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72347 MB offset 64260
18:19:02.015 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3906 MB offset 148231755
18:19:02.515 Disk 0 scanning sectors +156232125
18:19:03.078 Disk 0 scanning C:\WINDOWS\system32\drivers
18:19:19.671 Service scanning
18:19:54.203 Modules scanning
18:20:14.906 Disk 0 trace - called modules:
18:20:15.421 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
18:20:15.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x823d8ab8]
18:20:15.421 3 CLASSPNP.SYS[f8577fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82345d98]
18:20:16.375 AVAST engine scan C:\WINDOWS
18:20:28.359 AVAST engine scan C:\WINDOWS\system32
18:22:27.234 File: C:\WINDOWS\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
18:22:49.500 AVAST engine scan C:\WINDOWS\system32\drivers
18:23:01.593 AVAST engine scan C:\Documents and Settings\Administrator
18:25:54.328 AVAST engine scan C:\Documents and Settings\All Users
18:34:28.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:34:28.187 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR log 12-15.txt"
  • 0

#13
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Farbar Service Scanner Version: 10-12-2012
Ran by Administrator (administrator) on 15-12-2012 at 18:37:48
Running from "C:\Documents and Settings\Administrator\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(9) DNE(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000500000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#14
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
OTL logfile created on: 12/15/2012 6:43:54 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = E:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

509.98 Mb Total Physical Memory | 216.20 Mb Available Physical Memory | 42.39% Memory free
1.22 Gb Paging File | 0.84 Gb Available in Paging File | 68.90% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.65 Gb Total Space | 49.58 Gb Free Space | 70.17% Space Free | Partition Type: NTFS
Drive E: | 7.84 Gb Total Space | 6.94 Gb Free Space | 88.52% Space Free | Partition Type: FAT32

Computer Name: RUSSO-DESKTOP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/12/15 13:49:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2012/12/10 15:14:00 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/07/02 20:21:38 | 026,868,192 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/06/17 12:33:04 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/04/17 18:01:32 | 000,929,792 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
PRC - [2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/12/15 02:07:44 | 000,176,128 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/10 15:14:00 | 002,397,152 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2010/09/27 11:03:08 | 000,201,512 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2009/04/03 15:32:10 | 000,110,592 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll
MOD - [2007/07/12 10:11:54 | 001,163,264 | ---- | M] () -- C:\Program Files\REALTEK\11n USB Wireless LAN Utility\acAuth.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %SYSTEMROOT%\system32\wscsvc.dll -- (wscsvc)
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %SystemRoot%\System32\ersvc.dll -- (ERSvc)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2012/12/12 11:35:08 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/10 15:14:00 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/06/17 12:33:04 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/11/30 23:42:12 | 000,036,352 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2010/09/27 10:58:24 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2010/09/09 21:46:59 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Running] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2010/11/30 23:42:14 | 000,026,112 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2010/09/27 10:56:00 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/04/17 09:44:46 | 000,574,080 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8192su.sys -- (RTL8192su)
DRV - [2008/11/16 17:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/11/14 18:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 19:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2004/09/17 07:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s

IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/...UGO&form=ZGAPHP
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\Software\Microsoft\Internet Explorer\SearchURL\g, = http://www.google.com/search?q=%s
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\..\SearchScopes,DefaultScope = {F6066676-1EEB-BD50-8DCD-39409136EB4C}
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\..\SearchScopes\{F6066676-1EEB-BD50-8DCD-39409136EB4C}: "URL" = http://www.bing.com/...UGO&form=ZGAIDF
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-436374069-484061587-1606980848-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.bing.com/...GO&form=ZGAPHP"
FF - prefs.js..extensions.enabledAddons: firecookie%40janodvarko.cz:1.4
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/10 15:14:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/12/10 15:13:48 | 000,000,000 | ---D | M]

[2009/07/02 19:14:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2012/12/15 18:08:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions
[2011/03/16 13:43:01 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]
[2012/12/15 18:08:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\trash
[2012/12/15 18:08:39 | 002,151,598 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]
[2012/10/16 00:34:35 | 000,138,214 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\[email protected]
[2012/11/06 12:19:04 | 002,042,908 | ---- | M] () (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\extensions\trash\[email protected]
[2011/03/16 13:43:01 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wt3ptfy0.default\searchplugins\bing-zugo.xml
[2012/12/10 15:13:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/10 15:14:00 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/09/05 20:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/23 09:37:56 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://gmail.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://gmail.com/
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: BitTorrent (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
CHR - plugin: DivX Player Netscape Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.2 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2012/12/15 17:41:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe (HP)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\Ron (the merciful)\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-436374069-484061587-1606980848-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1348506400799 (WUWebControl Class)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7D114F58-451D-4319-BDEE-2E9108F2C8A0}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/01 22:43:35 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell - "" = AutoRun
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dc52b315-0951-11df-9eaf-001320354b33}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/12/15 17:47:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/12/15 17:41:24 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2012/12/15 17:41:23 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2012/12/15 17:41:22 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2012/12/15 17:41:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2012/12/15 17:11:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/12/15 17:05:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2012/12/15 14:30:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/12/15 14:30:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/12/15 14:30:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/12/15 14:30:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/12/15 14:30:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/12/15 14:30:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2012/12/15 13:28:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2012/12/13 10:23:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
[2012/12/13 10:05:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2012/12/12 12:59:08 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/12/12 12:34:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/12/12 12:31:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/12/10 15:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/11/19 13:31:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/11/19 09:52:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/11/19 09:51:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/11/17 11:45:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/11/17 11:44:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2012/12/15 18:34:28 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2012/12/15 18:33:10 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/12/15 18:09:03 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/12/15 18:09:02 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500UA.job
[2012/12/15 17:46:13 | 000,398,114 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/15 17:46:13 | 000,061,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/15 17:42:44 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2012/12/15 17:41:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/12/15 17:41:40 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/12/15 17:41:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/15 17:41:14 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2012/12/15 17:12:05 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/12/14 16:09:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-484061587-1606980848-500Core.job
[2012/12/14 14:07:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/14 10:13:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/12 11:35:03 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/12/12 11:35:02 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl

========== Files Created - No Company Name ==========

[2012/12/15 18:34:28 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2012/12/15 17:12:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/12/15 17:12:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/12/15 14:30:15 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/12/15 14:30:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/12/15 14:30:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/12/15 14:30:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/12/15 14:30:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/24 12:46:21 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/09/24 11:39:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/07/02 16:48:41 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2011/03/20 08:46:32 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2011/03/16 14:19:03 | 000,068,964 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2011/03/16 14:19:03 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2010/05/02 20:09:54 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\Administrator\pool.bin

========== ZeroAccess Check ==========

[2009/08/01 08:14:07 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
[2012/12/15 13:44:25 | 000,005,120 | ---- | M] () -- C:\WINDOWS\assembly\GAC\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/04/26 18:41:42 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/26 18:41:31 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 22:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 22:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe

< MD5 for: QMGR.DLL >
[2008/04/13 22:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\ERDNT\cache\qmgr.dll
[2008/04/13 22:42:04 | 000,409,088 | ---- | M] (Microsoft Corporation) MD5=574738F61FCA2935F5265DC4E5691314 -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: SERVICES >
[2001/08/23 07:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES.CFG >
[2012/07/27 15:51:34 | 000,586,083 | ---- | M] () MD5=6DE4EA437EC1FE6DB27CADB0A7EA8DC2 -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 11:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.EXE >
[2009/04/26 18:41:42 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/04/26 18:41:42 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe

< MD5 for: SERVICES.LNK >
[2009/07/01 22:43:41 | 000,001,602 | ---- | M] () MD5=8366A22400457465AB45FA3C8A47CB84 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MSC >
[2001/08/23 07:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2008/04/13 22:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 22:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/13 22:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 22:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/13 22:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 22:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< MD5 for: WINSOCK.DLL >
[2001/08/23 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\winsock.dll

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: Maxtor 6Y080L0
Partitions: 3
Status: OK
Status Info: 0

Drive: \\\\.\\PHYSICALDRIVE1 - Removable media other than\tfloppy
Interface type: USB
Media Type: Removable media other than\tfloppy
Model: Generic Flash Disk USB Device
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 31.00MB
Starting Offset: 32256
Hidden sectors: 0


DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 71.00GB
Starting Offset: 32901120
Hidden sectors: 0


DeviceID: Disk #0, Partition #2
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 4.00GB
Starting Offset: 75894658560
Hidden sectors: 0


DeviceID: Disk #1, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 8.00GB
Starting Offset: 4194304
Hidden sectors: 0


< type c:\diskreport.txt /c >
Microsoft DiskPart version 5.1.3565
Copyright © 1999-2003 Microsoft Corporation.
On computer: RUSSO-DESKTOP
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D DVD-ROM 0 B
Volume 1 C NTFS Partition 71 GB Healthy System
Volume 2 E FAT32 Removeable 8040 MB

< End of report >
  • 0

#15
ron26

ron26

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Hi godawgs,

I think I followed the steps you've outlined and posted all of the requested logs. Please let me know if I did not.

I've done a search and then clicked the link in both Google Chrome and Mozilla Firefox. I was NOT redirected to any wacky sites, as had been the case. That was how I knew something was wrong.

So, from my untrained viewpoint, the problem seems to be fixed.

Thank you for all of your help and support. It is getting late on Saturday evening here and I think I'll stop the computer fixing for the night but I'll be around all day tomorrow, Sunday.

I'll check back tomorrow morning to see if you've replied and what I need to do next. Oh, and I know it might take some time to review all those logs so I'll be patient. Should I unplug the computer from the internet again until things are fully solved?

Thank you & I hope you are having a pleasant Saturday!

ron

Edited by ron26, 15 December 2012 - 06:26 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP