Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus Pro 2010 removal [Solved]

Started by ledzuscany , Sep 22 2009 02:15 PM

  • This topic is locked This topic is locked

#16
NeonFx
Posted 23 September 2009 - 06:07 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
I'm sorry to say this, but you're going to have to run the scan again. You want to make sure and do the following from my instructions above when the scan is over:

Make sure that everything is checked, and click Remove Selected.


That log says that "No Action was taken" on any of the items it found.

Edited by NeonFx, 23 September 2009 - 06:10 PM.

  • 0

Advertisements

#17
ledzuscany
Posted 23 September 2009 - 06:43 PM

ledzuscany

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry... Actually, I realized that I might need to do something yet w Mbam results so I didn't close the program.

Here's the new log files from mbam and otl, respectively:

Malwarebytes' Anti-Malware 1.41
Database version: 2852
Windows 5.1.2600 Service Pack 3

9/23/2009 8:29:38 PM
mbam-log-2009-09-23 (20-29-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 241596
Time elapsed: 1 hour(s), 1 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{051c9a06-fb08-486f-b09b-8b33b261637d} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{29256442-2c14-48ca-b756-3ee0f8bdc774} (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\QWProtect.dll (Rogue.AntiVirus1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\awdym.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gra\wsav.exe.vir (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gra\wsga05.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\User\XP Deluxe Protector\xpdeluxe.exe.vir (Rogue.XPDeluxe) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\htmlayout.dll.vir (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\Uninstall.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\svchast.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gdi32lib.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruidslajctv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruiohbogrkr.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapi.nfo.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir (Rogue.HomeAntiVirus) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\hjgruionvvmkmf.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACxjlqpuwljb.sys.vir (Trojan.TDSS.T) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18CF6FB8-8655-4EAC-BA74-A8B389CFA4D0}\RP1\A0000034.exe (Rogue.GreenAV) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{18CF6FB8-8655-4EAC-BA74-A8B389CFA4D0}\RP1\A0000035.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


======================================================

OTL logfile created on: 9/23/2009 8:33:53 PM - Run 4
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\User\Desktop\New Folder
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.48 Mb Total Physical Memory | 723.89 Mb Available Physical Memory | 70.80% Memory free
2.40 Gb Paging File | 2.25 Gb Available in Paging File | 93.46% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 12.88 Gb Free Space | 17.28% Space Free | Partition Type: NTFS
Drive D: | 579.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive H: | 983.02 Mb Total Space | 697.80 Mb Free Space | 70.99% Space Free | Partition Type: FAT
I: Drive not present or media not loaded
Drive M: | 148.73 Gb Total Space | 4.35 Gb Free Space | 2.92% Space Free | Partition Type: NTFS
Drive T: | 74.52 Gb Total Space | 12.96 Gb Free Space | 17.39% Space Free | Partition Type: NTFS

Computer Name: HOUSE
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2003/08/15 01:59:56 | 00,234,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2003/08/15 01:59:50 | 00,255,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/12/10 19:05:58 | 00,088,576 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2003/08/15 01:59:48 | 00,070,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2007/10/10 20:51:56 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
PRC - [2008/09/03 19:03:13 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2008/04/13 20:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/09/22 15:01:04 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\New Folder\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 15:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2003/08/15 01:59:50 | 00,255,136 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2003/08/15 01:59:54 | 00,087,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2003/08/15 01:59:56 | 00,234,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/08/07 12:43:04 | 00,045,816 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/11/14 02:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/11/20 14:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/01/29 23:12:10 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Disabled | Stopped])
SRV - [2003/08/18 00:34:02 | 00,158,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\navapsvc.exe -- (navapsvc [On_Demand | Stopped])
SRV - [2006/11/10 20:18:02 | 00,774,144 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/08/10 01:26:24 | 00,193,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\SAVScan.exe -- (SAVScan [On_Demand | Stopped])
SRV - [2003/06/24 19:23:10 | 00,066,784 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe -- (SBService [Auto | Stopped])
SRV - [2008/12/10 19:05:58 | 00,088,576 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService [Auto | Running])
SRV - [2005/01/21 23:32:12 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2007/10/18 12:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2007/10/25 16:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "file:///C:/Documents%20and%20Settings/All%20Users/Documents/home.htm"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.4
FF - prefs.js..extensions.enabledItems: [email protected]:2.6.0
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:5.0.20090813W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {2BF8947D-73AF-42B1-AE19-7A963759694F}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13


FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/29 23:12:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2BF8947D-73AF-42B1-AE19-7A963759694F}: C:\Documents and Settings\User\Local Settings\Application Data\{2BF8947D-73AF-42B1-AE19-7A963759694F} [2009/04/19 19:13:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/12 07:59:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/18 03:00:49 | 00,000,000 | ---D | M]

[2008/09/03 18:53:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Extensions
[2008/09/03 18:53:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/04 16:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions
[2009/09/04 16:38:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/02 17:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/02/05 10:45:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions\{79fcaa13-5f29-4c33-aad7-6c48c175760a}(2)
[2009/02/11 16:29:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/01/10 19:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\mozilla\Firefox\Profiles\kp5kezxy.default\extensions\[email protected]
[2009/08/31 11:30:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/12 07:59:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/11/25 21:38:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/11/26 12:50:03 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/08/12 07:59:01 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/12 07:59:01 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/06/18 03:43:04 | 00,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2009/01/29 23:10:14 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2008/10/08 17:30:44 | 00,284,248 | ---- | M] (Musicnotes, Inc.) -- C:\Program Files\mozilla firefox\plugins\npmusicn.dll
[2009/08/12 07:59:01 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 21:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2007/05/10 23:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/09/20 00:00:16 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/09/20 00:00:16 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/09/20 00:00:16 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/09/20 00:00:16 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/09/20 00:00:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/09/20 00:00:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/09/20 00:00:17 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/04/16 13:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2009/08/07 12:43:40 | 00,030,400 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\mozilla firefox\plugins\np_gp.dll
[2009/05/15 09:31:11 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/05/15 09:31:11 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/05/15 09:31:11 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/05/15 09:31:11 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/05/15 09:31:11 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/05/15 09:31:11 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/05/15 09:31:11 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\01234\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe (Symantec Corporation)
O4 - HKLM..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\Program Files\SymNetDrv\SNDMon.exe (Symantec Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe ()
O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Motorola homesight™ Software.lnk = C:\Program Files\Motorola Homesight\mhm.exe (Motorola Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Add to Windows &Live Favorites - File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Open in new background tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Open in new foreground tab - C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1195959843546 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.0.12
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/24 22:51:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/04 08:00:00 | 00,000,110 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2007/02/12 15:53:42 | 00,000,277 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[1 C:\*.tmp files]
[2009/09/23 17:27:54 | 00,000,587 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/23 17:27:50 | 00,000,000 | ---D | C] -- C:\Program Files\01234
[2009/09/23 17:15:42 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/23 07:46:42 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/09/23 07:46:33 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/09/23 07:46:26 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/23 07:45:01 | 00,000,000 | --SD | C] -- C:\Combo-Fix
[2009/09/23 07:43:28 | 00,002,962 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Document.rtf
[2009/09/22 22:02:02 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/22 20:14:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/22 20:13:31 | 00,000,410 | ---- | C] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2009/09/22 18:26:36 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/22 18:26:36 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/22 18:26:36 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/22 18:26:36 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/22 18:26:36 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/22 18:26:36 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/22 18:26:36 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/22 18:26:36 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/22 18:00:27 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/22 17:33:44 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/09/22 15:32:21 | 00,000,000 | ---D | C] -- C:\Program Files\123
[2009/09/22 14:59:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/22 14:59:00 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/09/22 14:58:58 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/09/22 14:31:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\New Folder
[2009/09/22 11:52:56 | 00,000,000 | ---D | C] -- C:\Program Files\Doug
[2009/09/11 13:39:29 | 00,043,062 | ---- | C] () -- A:\Documents\UserImages.bmp

========== Files - Modified Within 14 Days ==========

[1 C:\*.tmp files]
[2009/09/23 20:32:40 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/23 20:32:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/23 20:32:14 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/23 20:28:30 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/09/23 17:27:54 | 00,000,587 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/23 17:20:54 | 00,000,096 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/23 17:20:53 | 00,247,296 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/23 07:46:42 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/09/23 07:43:28 | 00,002,962 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Document.rtf
[2009/09/23 03:08:22 | 00,002,277 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Google Chrome.lnk
[2009/09/23 03:01:17 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/22 20:14:03 | 00,000,410 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2009/09/22 19:36:00 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/22 19:31:49 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/22 14:59:00 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/09/22 10:06:08 | 00,024,580 | -H-- | M] () -- A:\Documents\.DS_Store
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/11 13:39:29 | 00,043,062 | ---- | M] () -- A:\Documents\UserImages.bmp
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== LOP Check ==========

[2009/09/23 17:15:43 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/11/22 21:59:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/02/15 17:51:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2007/11/25 21:54:10 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/10/08 17:31:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2009/08/18 06:00:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2008/11/20 10:04:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media
[2009/02/15 17:51:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/11/25 20:09:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
[2009/09/22 19:28:08 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\User\Application Data
[2008/03/17 21:46:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\acccore
[2007/11/30 10:28:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Ahead
[2009/09/04 13:24:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon
[2007/12/18 12:50:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\DVDFab
[2008/09/04 13:36:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Elluminate
[2009/08/23 03:38:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\FrostWire
[2007/12/20 19:35:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\iScreensaver
[2009/07/21 18:18:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LEGO Company
[2008/11/29 16:25:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\LimeWire
[2007/11/25 14:57:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Scooter Software
[2009/09/23 19:45:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\U3
[2008/12/31 16:15:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Unity
[2008/10/16 06:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\uTorrent
[2009/04/06 23:51:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Vso
[2007/12/03 18:36:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Wal-Mart Digital Photo Viewer
[2007/11/26 13:39:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Windows Desktop Search
[2007/11/24 23:53:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\WinPatrol
[2008/03/07 14:09:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\yoclient
[2009/09/23 20:28:30 | 00,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2003/03/31 10:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/23 20:32:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/09/22 20:14:03 | 00,000,410 | ---- | M] () -- C:\WINDOWS\Tasks\Symantec NetDetect.job

========== Purity Check ==========


< End of report >
  • 0

#18
NeonFx
Posted 24 September 2009 - 01:40 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
Excellent :) Let's do just one more thing to make absolutely sure your computer is clean. This can take a while but it's well worth it.

Do you still want to try reinstalling the drivers for the video card?

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#19
ledzuscany
Posted 25 September 2009 - 01:42 PM

ledzuscany

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi Neonfx,

I've had Kapersky running for almost 24 hours. My first check up on it indicated it would finish around 1:30 am local. I checked again before bed and it revised it to 6:30 am. The next time it said undetermined but was 99% done. Now I have a popup on the screen and I'm unsure if it's from Kap or from a malware program that was triggered somehow. I've attached a screenshot.

Thanks, Doug

Posted Image
  • 0

#20
NeonFx
Posted 25 September 2009 - 01:54 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
That is part of Kaspersky's tool. I will need to update my canned speech as it seems the instructions are slightly off.
  • Place a checkmark in the "Apply to all" box and then click on the Disinfect button. If it cannot disinfect the file, select "Delete"
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and copy and paste those results in your next reply.

Edited by NeonFx, 25 September 2009 - 02:01 PM.

  • 0

#21
ledzuscany
Posted 25 September 2009 - 02:19 PM

ledzuscany

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Um, I hope I didn't mess up again, but when I got to one that couldn't be disinfected, I told it to delete, and ticked apply to all, and it went thru and deleted all the rest!

Here's the report:

Detected
--------
Status Object
------ ------
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.a File: C:\Documents\Downloads\Blindside - About A Burning Fire.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.n File: C:\Documents\Downloads\love like jonny june .mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.c File: C:\Documents\Downloads\ska la la la la snowball fight.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.c File: C:\Documents\Downloads\the flaming lips be my head.mp3
disinfected: Trojan program Trojan-Downloader.WMA.GetCodec.n File: C:\Documents\Downloads\The Strange Familiar - Courage Is... .mp3
deleted: Trojan program Trojan.Win32.Pakes.bqb File: C:\Program Files\Norton AntiVirus\Quarantine\36DC3C6F//CryptFF
deleted: malware Hoax.Win32.Renos.vm File: C:\Program Files\Norton AntiVirus\Quarantine\4008465E//CryptFF
deleted: malware Hoax.Win32.Renos.vm File: C:\Program Files\Norton AntiVirus\Quarantine\400C705A//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Diehard.dc File: C:\Program Files\Norton AntiVirus\Quarantine\537310BC//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Diehard.di File: C:\Program Files\Norton AntiVirus\Quarantine\54B97754//CryptFF
deleted: malware Hoax.Win32.Renos.vm File: C:\Program Files\Norton AntiVirus\Quarantine\666A1FCF//CryptFF
deleted: Trojan program Trojan-Downloader.Win32.Agent.bqxc File: C:\Qoobox\Quarantine\[4]-Submit_2009-09-23_07.53.52.zip/alolb.exe
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\Qoobox\Quarantine\[4]-Submit_2009-09-23_07.53.52.zip/bafumeri.exe
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\Qoobox\Quarantine\[4]-Submit_2009-09-23_07.53.52.zip/dohutuge.exe
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\Qoobox\Quarantine\[4]-Submit_2009-09-23_07.53.52.zip/hemewima.exe
deleted: new threat not-a-virus:FraudTool.Win32.SecurityCenter.bv File: C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gra\gra.exe.vir
deleted: new threat not-a-virus:FraudTool.Win32.GreenAV.a File: C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gra\mradll.exe.vir//data0003
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.wrgn File: C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir
deleted: Trojan program Trojan-Downloader.Win32.FraudLoad.wrgn File: C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir
deleted: Trojan program Trojan.HTML.Fraud.b File: C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.bqxc File: C:\Qoobox\Quarantine\C\WINDOWS\system32\gebojele.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.bqxc File: C:\Qoobox\Quarantine\C\WINDOWS\system32\mamapome.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.Agent.bqxc File: C:\Qoobox\Quarantine\C\WINDOWS\system32\togemobo.dll.vir
deleted: Trojan program Packed.Win32.TDSS.y File: C:\Qoobox\Quarantine\C\WINDOWS\system32\UACabwtsnbaoy.dll.vir
deleted: new threat not-a-virus:FraudTool.Win32.SecurityCenter.bv File: C:\System Volume Information\_restore{18CF6FB8-8655-4EAC-BA74-A8B389CFA4D0}\RP1\A0000032.exe
deleted: new threat not-a-virus:FraudTool.Win32.GreenAV.a File: C:\System Volume Information\_restore{18CF6FB8-8655-4EAC-BA74-A8B389CFA4D0}\RP1\A0000033.exe//data0003
deleted: Trojan program Trojan-Spy.Win32.Agent.azof File: C:\WINDOWS\system32\ms32clod.dll
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\_OTL\MovedFiles\09232009_171542\windows\system32\bafumeri.exe
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\_OTL\MovedFiles\09232009_171542\windows\system32\dohutuge.exe
deleted: Trojan program Trojan.Win32.Agent.cnyk File: C:\_OTL\MovedFiles\09232009_171542\windows\system32\hemewima.exe
deleted: new threat not-a-virus:FraudTool.Win32.GreenAV.a File: C:\System Volume Information\_restore{18CF6FB8-8655-4EAC-BA74-A8B389CFA4D0}\RP1\A0000033.exe
  • 0

#22
NeonFx
Posted 25 September 2009 - 02:21 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
It's all good. How's your computer running now?
  • 0

#23
ledzuscany
Posted 25 September 2009 - 05:28 PM

ledzuscany

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi!

It seems to be working fine, no issues so far. Of course, I thought it was working pretty well before the Kapersky scan and that turned up 31 malware issues!

I do have a question. One of the things we did in the process took away the pc's autorun for exe's on removable drives, e.g. my thumbdrive's U3 app so I can quit it quickly. Can you tell me how to get that functionality back? Would there be other functions that have been disabled that I can get back now, ones I'm not aware of?

Hopefully you can close the book on this. I appreciate all the help you've given and the patience you've displayed.

Next thing on my checklist: get this pc locked down with the recommended software to try and prevent a reinfection.

Thanks again,

Doug :)
  • 0

#24
NeonFx
Posted 26 September 2009 - 05:38 AM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
I'm glad to hear that :) The Kaspersky tool has been known to time and time again find things that we miss so it's always a great tool to finish up with. In your case it actually only found a couple files, the rest of them were either already in quarantine folders or in your System Restore backups.

The U3 program that makes it easier for you to unplug your USB devices requires that a Windows feature be enabled call Autorun that we treat as a security risk. Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer.
Read Please disable Autorun asap! for more information.

Disabling autorun/autoplay does not prevent you from accessing your media sources. They are still available by opening My Computer and accessing the source drive (CD, DVD, usb/flash drive or external hard drive). Pictures on a camera can still be accessed through My Pictures and selecting "Get Pictures" from a scanner or camera. Media can also be accessed via the program you normally use it with such as music CDs accessed via Media Player, blank CDs via burning software, image handling software provided with the camera, etc. I strongly recommend you leave the autorun feature disabled and get into the habit of accessing your media devices manually.

The easiest way to safely unplug your USB device is to left-click on the icon that appears in your taskbar whenever you plug your USB device in, and select "Safely Remove USB Mass Storage device" from the list.

Let's cleanup.

STEP 1

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



STEP 2
To clean up OldTimer's tools, along with a few others, do the following:

  • Run OTL.exe by double clicking on it
  • Click on the "CleanUp" button on the top.
  • You will be asked if you wish to reboot your system, select "Yes"


STEP 3

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.


All Clean

Congratulations!, Posted Image, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates


Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlockList Pro's HOSTS Manager HERE

  • Double click the Installer on your desktop and let it Install the Hosts Manager
  • After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop)
  • When the Hosts Manager comes up, click the small down arrows on the right side of the bar labeled Options and Tools,
  • Click Disable DNS Service. This is important
  • In the Left Pane, click Download
  • It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save

You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.
If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this.

Read further information HERE on how to prevent Malware infections and keep yourself clean.
  • 0

#25
Essexboy
Posted 28 September 2009 - 12:55 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP