Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Arestocrat Virus Help!


  • Please log in to reply

#16
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Ok starting that process now.
  • 0

Advertisements


#17
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32\\""|"C:\WINDOWS\system32\wbem\fastprox.dll" /E : value set successfully!

OTL by OldTimer - Version 3.2.69.0 log created on 04192013_195630
  • 0

#18
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
OTL logfile created on: 4/19/2013 7:59:20 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.63 Gb Available Physical Memory | 80.93% Memory free
5.09 Gb Paging File | 4.57 Gb Available in Paging File | 89.81% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.90 Gb Total Space | 120.62 Gb Free Space | 81.01% Space Free | Partition Type: NTFS
Drive D: | 236.06 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 30.44 Gb Total Space | 30.43 Gb Free Space | 99.98% Space Free | Partition Type: FAT32

Computer Name: DEDEA | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/04/18 14:48:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
PRC - [2013/04/16 16:37:15 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/12/19 07:38:57 | 000,044,280 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
PRC - [2009/03/01 18:09:38 | 001,810,432 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
PRC - [2009/03/01 18:09:22 | 000,077,824 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
PRC - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2009/02/06 20:10:16 | 001,095,456 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
PRC - [2009/01/19 15:54:16 | 000,667,648 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
PRC - [2009/01/16 16:41:02 | 000,656,696 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
PRC - [2009/01/16 15:46:22 | 000,015,360 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
PRC - [2009/01/14 10:23:50 | 000,991,232 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2008/12/22 12:15:44 | 000,145,408 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
PRC - [2008/12/11 19:53:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2008/09/29 08:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2008/09/29 08:07:00 | 000,026,672 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 04:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/03/14 04:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/03/14 04:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/13 18:30:57 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/13 18:30:29 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll
MOD - [2013/02/13 18:29:36 | 000,372,736 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2013/01/10 10:08:35 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\1a6f9e23985e3159e6dd9827fd81c2fd\System.Management.ni.dll
MOD - [2013/01/10 10:04:30 | 001,593,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll
MOD - [2013/01/10 10:03:33 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/10 10:03:26 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll
MOD - [2013/01/10 10:02:40 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/10 10:02:12 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2009/04/30 03:37:13 | 000,036,864 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Status Lib\1.6.206.39627__f25c74fcad379103\Status Lib.dll
MOD - [2009/04/30 03:37:13 | 000,013,824 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\SecurityDeviceInfoSetReg\1.6.206.39641__3a60a70419922317\SecurityDeviceInfoSetReg.dll
MOD - [2009/04/30 03:37:13 | 000,008,192 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\StatusInterfaces\1.6.206.39627__4ca2a925deedf37d\StatusInterfaces.dll
MOD - [2008/12/22 12:13:54 | 000,249,856 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2008/12/11 15:51:36 | 000,010,752 | ---- | M] () -- C:\WINDOWS\system32\Wavx_ESC_Logging.dll
MOD - [2008/11/12 13:24:40 | 000,004,608 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\TspPopup_ENU.dll
MOD - [2008/03/14 04:00:00 | 000,057,344 | ---- | M] () -- C:\Program Files\McAfee\Common Framework\boost_thread-vc71-mt-1_32.dll
MOD - [2005/08/22 15:38:16 | 003,264,512 | ---- | M] () -- C:\Program Files\McAfee\Common Framework\cryptocme2.dll


========== Services (SafeList) ==========

SRV - [2013/04/16 16:37:15 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2013/04/16 09:41:03 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/03/13 12:36:18 | 000,253,656 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2009/04/30 03:49:57 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/03/01 18:09:22 | 000,077,824 | ---- | M] (Smith Micro Software, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe -- (SMManager)
SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2009/01/14 10:23:50 | 000,991,232 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2008/12/12 09:54:00 | 000,638,976 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2008/12/11 19:53:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2008/11/12 13:25:48 | 001,273,856 | ---- | M] () [Auto | Stopped] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2008/09/29 08:07:00 | 000,143,088 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2008/09/29 08:07:00 | 000,067,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2008/09/29 08:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2008/09/29 08:07:00 | 000,019,456 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2008/03/14 04:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\NvtSp50.sys -- (NvtSp50)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/04/16 21:15:59 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/08/14 00:27:00 | 004,485,632 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/01/16 16:41:06 | 000,208,824 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2008/12/29 21:34:52 | 000,144,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress)
DRV - [2008/09/29 08:07:00 | 000,340,592 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2008/09/29 08:07:00 | 000,090,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2008/09/29 08:07:00 | 000,074,648 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2008/09/29 08:07:00 | 000,064,432 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2008/09/29 08:07:00 | 000,062,704 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2008/09/29 08:07:00 | 000,042,424 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/08/27 18:32:36 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
DRV - [2008/08/27 18:09:10 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)
DRV - [2008/06/04 13:14:00 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PBADRV.sys -- (PBADRV)
DRV - [2008/05/23 16:54:38 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USREL/1
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://web.minorleag...ex.jsp?sid=t566
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\SearchScopes,DefaultScope = {CA1EBC6F-CB92-48C7-A6F1-4A486FA2D3F0}
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7ADFA_en
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\SearchScopes\{CA1EBC6F-CB92-48C7-A6F1-4A486FA2D3F0}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/04/16 09:41:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/04/16 16:37:31 | 000,000,000 | ---D | M]

[2010/06/21 09:16:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
[2013/04/12 09:18:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\itof11p5.default\extensions
[2010/06/21 09:58:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\itof11p5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/04/14 08:00:00 | 000,004,830 | ---- | M] () (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\itof11p5.default\extensions\[email protected]
[2013/04/16 09:40:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/04/16 09:41:04 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/10/31 12:26:35 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/03/01 15:13:20 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2013/04/19 18:44:29 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [DellConnectionManager] C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell Inc.)
O4 - HKLM..\Run: [EmbassySecurityCheck] C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (Broadcom Corporation)
O4 - HKLM..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-21-2180549482-1438340568-3630162004-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - ?p=ZLxdm024YYUS File not found
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1242417711625 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF}: NameServer = 65.32.1.65,65.32.1.70
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 17:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1999/02/12 13:00:00 | 000,000,027 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/04/19 19:56:03 | 000,354,299 | ---- | C] (Farbar) -- C:\Documents and Settings\Admin\Desktop\FSS.exe
[2013/04/19 19:02:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Desktop\OTL Logs
[2013/04/19 18:44:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/04/18 15:36:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2013/04/18 15:36:39 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Admin\Desktop\aswMBR.exe
[2013/04/16 16:38:44 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/04/16 16:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\Malwarebytes
[2013/04/16 16:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Sun
[2013/04/16 16:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/04/16 15:53:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2013/04/16 15:48:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2013/04/16 09:40:55 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

========== Files - Modified Within 30 Days ==========

[2013/04/19 20:03:24 | 000,514,180 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/04/19 20:03:24 | 000,098,210 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/04/19 19:59:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\WavXMapDrive.bat
[2013/04/19 19:58:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/04/19 19:58:52 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/04/19 19:58:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/04/19 19:58:38 | 3487,133,696 | -HS- | M] () -- C:\hiberfil.sys
[2013/04/19 19:46:52 | 000,354,299 | ---- | M] (Farbar) -- C:\Documents and Settings\Admin\Desktop\FSS.exe
[2013/04/19 19:23:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/04/19 18:44:29 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/04/18 16:36:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/04/18 14:49:52 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Admin\Desktop\aswMBR.exe
[2013/04/18 14:48:28 | 000,816,128 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\RogueKiller.exe
[2013/04/18 14:48:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2013/04/16 21:15:59 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/04/16 16:04:26 | 000,001,833 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/04/16 16:00:37 | 002,250,054 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/04/16 16:00:23 | 000,350,795 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/04/16 15:53:22 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/04/16 15:02:14 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/04/11 08:50:44 | 000,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/04/10 17:03:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2013/04/18 15:36:42 | 000,816,128 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\RogueKiller.exe
[2013/04/16 16:04:25 | 000,001,833 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/04/16 16:00:37 | 002,250,054 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.bmp
[2013/04/16 16:00:21 | 000,350,795 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1.jpg
[2013/04/16 15:53:21 | 000,001,815 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2013/04/16 15:02:14 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/15 16:56:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2009/05/29 13:30:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\WavXMapDrive.bat

========== ZeroAccess Check ==========

[2008/04/25 17:34:35 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2009/03/02 19:04:03 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 08:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2009/04/30 03:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Broadcom
[2009/04/30 03:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Wave Systems Corp
[2009/04/30 03:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Windows Desktop Search
[2009/05/29 13:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Windows Search
[2009/04/30 03:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Broadcom
[2009/04/30 03:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
[2009/04/30 03:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2009/04/30 03:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2009/04/30 03:32:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
[2009/04/30 03:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2013/04/16 15:42:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\42e0800a-74cb-4973-afd7-36e4e3e1e60bad
[2009/04/30 03:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Broadcom
[2013/04/16 15:42:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Exebny
[2013/04/16 15:42:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Ezniu
[2013/04/16 15:56:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Qeser
[2013/02/08 10:38:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\W Photo Studio Viewer
[2009/04/30 03:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Wave Systems Corp
[2009/04/30 03:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Windows Desktop Search
[2009/05/12 17:14:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DeDe Angelillis\Application Data\Windows Search
[2009/04/30 03:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Broadcom
[2009/04/30 03:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Wave Systems Corp
[2009/04/30 03:20:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search

========== Purity Check ==========



< End of report >
  • 0

#19
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-19 20:11:22
-----------------------------
20:11:22.484 OS Version: Windows 5.1.2600 Service Pack 3
20:11:22.484 Number of processors: 4 586 0x170A
20:11:22.484 ComputerName: DEDEA UserName: Admin
20:11:23.234 Initialize success
20:18:36.296 AVAST engine defs: 13041901
20:19:42.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
20:19:42.671 Disk 0 Vendor: ST316081 4.AD Size: 152587MB BusType: 8
20:19:42.875 Disk 0 MBR read successfully
20:19:42.875 Disk 0 MBR scan
20:19:42.921 Disk 0 Windows VISTA default MBR code
20:19:42.921 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 109 MB offset 63
20:19:42.921 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152476 MB offset 224910
20:19:42.937 Disk 0 scanning sectors +312496380
20:19:43.078 Disk 0 scanning C:\WINDOWS\system32\drivers
20:19:51.953 Service scanning
20:20:14.250 Modules scanning
20:20:18.468 Disk 0 trace - called modules:
20:20:18.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
20:20:19.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae0e8c8]
20:20:19.000 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8ae0f028]
20:20:19.656 AVAST engine scan C:\WINDOWS
20:20:30.781 AVAST engine scan C:\WINDOWS\system32
20:23:35.156 AVAST engine scan C:\WINDOWS\system32\drivers
20:23:46.546 AVAST engine scan C:\Documents and Settings\Admin
20:25:27.687 AVAST engine scan C:\Documents and Settings\All Users
20:26:20.750 Scan finished successfully
20:26:35.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\Desktop\MBR.dat"
20:26:35.359 The log file has been saved successfully to "C:\Documents and Settings\Admin\Desktop\aswMBR.txt"
  • 0

#20
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 04/19/2013 20:30:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][Rans.Gendarm] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND
[RUN][Rans.Gendarm] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 75386c285c9ff6677223cd277cb0e902
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 109 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 224910 | Size: 152476 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 38208 | Size: 31183 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_04192013_02d2030.txt >>
RKreport[1]_S_04192013_02d2030.txt
  • 0

#21
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Farbar Service Scanner Version: 14-04-2013
Ran by Admin (administrator) on 19-04-2013 at 20:32:19
Running from "C:\Documents and Settings\Admin\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open sharedaccess registry key. The service key does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdik(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#22
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Here are all of the scans you asked for. I will be leaving work soon tonight but will be back tomorrow around noon.

Edited by IVIRIVIAN, 19 April 2013 - 06:43 PM.

  • 0

#23
Crag_Hack

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hi Ivirivian. Your OTL and aswMBR logs are clean. Your RogueKiller log has a couple bads and there are a couple of services damaged by ZeroAccess that we need to repair. First we will create a system restore point and backup your registry. Please do the following:

Step 1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [CREATERESTOREPOINT]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)

Step 2

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Posted Image

Step 3

  • Download RogueKiller to the desktop
  • Quit all programs
  • Start RogueKiller.exe
  • Wait until Prescan has finished ...
  • Click on Scan. Click on Report and copy/paste the contents of the notepad window into your next post
  • In the Registry tab, uncheck the following lines :

    [DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
    [DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
    [DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


    We want to get rid of these:
    [RUN][Rans.Gendarm] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND
    [RUN][Rans.Gendarm] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND

  • Click on Delete. Click on Report and copy/paste the contents of the notepad window into your next post

Step 4

Download this zip file,
Attached File  reg files.zip   2.89KB   100 downloads
extract its contents, then open each reg file and merge the contents into the registry.

  • run farbar service scanner

    Posted Image
  • Tick All options.
  • Press Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Things to see in your next post:
OTL Fix log
RogueKiller log
FSS.txt

  • 0

#24
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
========== COMMANDS ==========
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 04202013_182816
  • 0

#25
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove -- Date : 04/20/2013 19:06:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][Rans.Gendarm] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> DELETED
[RUN][Rans.Gendarm] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> NOT REMOVED, USE DNSFIX
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 75386c285c9ff6677223cd277cb0e902
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 109 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 224910 | Size: 152476 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 38208 | Size: 31183 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_D_04202013_02d1906.txt >>
RKreport[1]_D_04202013_02d1906.txt
  • 0

Advertisements


#26
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 04/20/2013 19:09:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 75386c285c9ff6677223cd277cb0e902
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 109 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 224910 | Size: 152476 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 38208 | Size: 31183 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_S_04202013_02d1909.txt >>
RKreport[1]_D_04202013_02d1906.txt ; RKreport[2]_S_04202013_02d1909.txt
  • 0

#27
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I unchecked the registry files you told me to but it looks like they are still gone? Hope everything is good here.
  • 0

#28
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I was only able to merge 2 out of the 4 registry files. I couldn't merge the LEGACY_SHAREDACCESS or the LEGACY_WSCSVC. Here is the FSS log.
  • 0

#29
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Farbar Service Scanner Version: 14-04-2013
Ran by Admin (administrator) on 20-04-2013 at 19:24:35
Running from "C:\Documents and Settings\Admin\Desktop"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdik(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#30
IVIRIVIAN

IVIRIVIAN

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
My bad I I didn't post this log from RK. I think this was from the first scan you asked for.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 04/20/2013 18:47:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][Rans.Gendarm] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-19_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND
[RUN][Rans.Gendarm] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\DeDe Angelillis\Application Data\Adobe\Adobe\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-20_Classes[...]\Run : PowerDVD DX (rundll32 "C:\Documents and Settings\DeDe Angelillis\Local Settings\Application Data\Microsoft\PowerDVD DX\yzzitq.dll",DllCanUnloadNow) [x] -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[DNS] HKLM\[...]\ControlSet003\Services\Tcpip\Interfaces\{57B9B2AA-87B0-47E2-8A13-4CFAECB1D6CF} : NameServer (65.32.1.65,65.32.1.70) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Infection : Rans.Gendarm ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160815AS +++++
--- User ---
[MBR] 75386c285c9ff6677223cd277cb0e902
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 109 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 224910 | Size: 152476 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 1dbfae835883833d641466db3bbadbd3
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 38208 | Size: 31183 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_04202013_02d1847.txt >>
RKreport[1]_S_04202013_02d1847.txt
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP