Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Email hacked, possible malware on system [Solved]


  • This topic is locked This topic is locked

#1
Cycloman

Cycloman

    New Member

  • Member
  • Pip
  • 8 posts
Hi, today, I received emails & phone calls from my 3 different friends, each one warning me that my email address was sending out malicious SPAM mail to them (and others):

On Wed, Mar 3, 2010 at 6:57 AM, Gordon wrote (I'm Gordon):

Hello,
So amazing!I ordered one black apple iphone 3gs 32gb from this website www.savyou.com one weeks ago,today I've got it .Far from my imagination, it's genuine and as good as I expected,but much cheaper.I can't help sharing this good news with you! May all goes well for you.Cheers!
Gordon

Fearing that my system had been compromised, I went to Geeks To Go! for help. I followed the steps in the "Malware and Spyware Cleaning Guide", up until step #4 (Rootkit detection), and after three attempts, I have been completely unable to run the gmer.exe application. The first time I ran it, the application never loaded and I got the standard Windows "gmer.exe has encountered an error and needs to close" error message, and after I closed it, my system IMMEDIATELY reset itself. The 2nd and 3rd times I tried to run gmer.exe, the application would actually start, some type of scanning would appear to be occuring with the program, but within 1 min, I'd get the same Windows error message immediately followed by my system reseting itself immediately after I closed the error message.

Because of my problems with running gmer.exe (the fact that it crashes and then my PC resets immediately when I try to run it), I am now very certain there is something wrong with my PC. I obviously cannot post a gmer.exe log, since the application will not run for me, but I have posted the MBAM and OTL (OTL.txt and Extras.txt files) logs below.

Thank you very much for any help you can give.
Gordon

MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

03/03/2010 9:48:20 PM
mbam-log-2010-03-03 (21-48-20).txt

Scan type: Quick Scan
Objects scanned: 139965
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\loaderx.installer.1 (Adware.Winad) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6f7d-442c-93e3-4a4827c2e4c8} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2e9d4c81-9f27-4c14-b804-7b0f6bc88a4f} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3fdd654-a057-4971-9844-4ed8e67dbbb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AllFileSystemObjects\shellex\ContextMenuHandlers\UCSecureDelete (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\UCSecureDelete (Rogue.Ultimate.Cleaner) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\adp (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (%1 %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Media Pass (Adware.Winad) -> Quarantined and deleted successfully.
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Media Pass\Info.txt (Adware.Winad) -> Quarantined and deleted successfully.
C:\Program Files\ICQToolbar\tbu63\toolbaru.dll (Trojan.BHO) -> Delete on reboot.


OTL logs:
OTL.txt:

OTL logfile created on: 03/03/2010 10:16:03 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

479.00 Mb Total Physical Memory | 104.00 Mb Available Physical Memory | 22.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 0.59 Gb Free Space | 0.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GORDON
Current User Name: Duy Vuong
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/03 22:14:50 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal\OTL.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/11 04:25:42 | 006,731,312 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
PRC - [2007/05/30 07:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
PRC - [2007/05/18 08:49:46 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/02/27 11:39:26 | 001,310,720 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2006/08/31 19:33:02 | 000,115,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
PRC - [2005/01/07 13:12:31 | 000,817,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2005/01/03 11:40:42 | 000,854,528 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\incdsrv.exe
PRC - [2004/12/13 18:30:10 | 000,165,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
PRC - [2004/12/13 18:30:04 | 000,198,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
PRC - [2004/12/13 18:30:00 | 000,058,992 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
PRC - [2004/11/11 18:53:03 | 000,016,448 | ---- | M] (ewido networks) -- C:\Program Files\ewido\security suite\ewidoctrl.exe
PRC - [2004/08/18 12:44:56 | 000,046,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
PRC - [2004/08/18 12:44:36 | 000,176,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\navapsvc.exe
PRC - [2004/04/21 10:26:28 | 000,086,016 | ---- | M] (Cyberlink, Corp.) -- C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe


========== Modules (SafeList) ==========

MOD - [2010/03/03 22:14:50 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal\OTL.exe
MOD - [2010/03/03 22:09:42 | 000,102,912 | ---- | M] () -- C:\Program Files\TrojanHunter 4.2\THSec.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PnkBstrA)
SRV - [2007/05/30 07:31:10 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) [Auto | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard)
SRV - [2007/01/19 11:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2005/07/19 12:37:52 | 000,163,904 | ---- | M] (ewido networks) [Disabled | Stopped] -- C:\Program Files\ewido\security suite\ewidoguard.exe -- (ewido security suite guard)
SRV - [2005/01/07 13:12:31 | 000,817,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2005/01/03 11:40:42 | 000,854,528 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2004/12/13 18:30:10 | 000,165,488 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/12/13 18:30:08 | 000,079,472 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/12/13 18:30:04 | 000,198,256 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/11/11 18:53:03 | 000,016,448 | ---- | M] (ewido networks) [Auto | Running] -- C:\Program Files\ewido\security suite\ewidoctrl.exe -- (ewido security suite control)
SRV - [2004/10/15 19:24:42 | 000,206,048 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/08/18 12:44:56 | 000,046,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe -- (NPFMntor)
SRV - [2004/08/18 12:44:36 | 000,176,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2004/08/18 10:45:02 | 000,066,688 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe -- (SBService)
SRV - [2004/07/24 00:47:22 | 000,197,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Norton AntiVirus\SAVScan.exe -- (SAVScan)
SRV - [2004/07/21 21:24:04 | 000,173,160 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2007/02/14 01:04:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2009/01/08 00:31:24 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2007/12/26 20:04:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (MSNToolBandBHO) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (ICQ Toolbar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
O3 - HKLM\..\Toolbar: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (GRISOFT s.r.o.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe (Mischel Internet Security)
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
O4 - HKCU..\Run: [Sonic RecordNow!] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O8 - Extra context menu item: &ICQ Toolbar Search - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} http://zone.msn.com/...eb.1.0.0.17.cab (CPlayFirstChocolatieControl Object)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/...nx.1.0.0.87.cab (CPlayFirstTriJinxControl Object)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.9.113.cab (CDownloadCtrl Object)
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} http://zone.msn.com/...pcaploader1.cab (PopCapLoaderCtrl Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://zone.msn.com/...undLauncher.cab (AstoundLauncher Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://zone.msn.com/...inematycoon.cab (TikGames Online Control)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINDOWS\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - C:\Program Files\ewido\security suite\shellhook.dll ()
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {9EF34FF2-3396-4527-9D27-04C8C1C67806} - C:\Program Files\Microsoft AntiSpyware\shellextension.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/05/18 13:54:20 | 000,061,440 | R--- | M] () - F:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2003/02/12 02:01:48 | 000,000,050 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell - "" = AutoRun
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell - "" = AutoRun
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/20 00:23:22 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/03 21:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Duy Vuong\Application Data\Malwarebytes
[2010/03/03 21:05:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/03 21:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/03 21:05:48 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/03 21:05:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/03 21:03:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/03 18:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal
[2008/09/16 19:23:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/02/08 20:49:13 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2005/02/08 20:49:13 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2005/01/07 13:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2004/10/27 18:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/10/27 18:18:16 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/10/27 18:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2 C:\Documents and Settings\Duy Vuong\My Documents\*.tmp files -> C:\Documents and Settings\Duy Vuong\My Documents\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/03 22:10:55 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/03 22:09:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/03 22:08:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/03 22:08:51 | 502,845,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/03 22:08:09 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Duy Vuong\NTUSER.DAT
[2010/03/03 21:50:30 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Duy Vuong\ntuser.ini
[2010/03/03 21:05:54 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/03 19:08:28 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2 C:\Documents and Settings\Duy Vuong\My Documents\*.tmp files -> C:\Documents and Settings\Duy Vuong\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/03 21:05:54 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2007/10/28 14:37:35 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2006/09/20 15:03:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/04/04 03:15:36 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/04/04 03:15:11 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2006/04/04 01:48:46 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2006/04/04 01:48:45 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2005/09/19 18:01:53 | 000,049,540 | ---- | C] () -- C:\WINDOWS\rxvcrt.dll
[2005/08/09 19:00:06 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/08/06 16:45:25 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2005/08/03 05:40:16 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2005/08/02 23:20:51 | 000,000,679 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2005/04/25 12:13:46 | 000,000,363 | ---- | C] () -- C:\WINDOWS\ubber60.ini
[2005/03/30 23:58:59 | 000,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/03/14 20:02:41 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/02/24 11:56:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/02/08 21:30:46 | 000,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2005/02/08 21:30:44 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2005/01/30 19:53:53 | 000,000,045 | ---- | C] () -- C:\WINDOWS\DCJGENLI.ini
[2005/01/16 11:49:50 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/01/16 11:47:48 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2005/01/10 16:51:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/01/07 15:04:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/01/07 14:33:09 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2005/01/07 14:01:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/07 13:03:22 | 000,171,008 | ---- | C] () -- C:\Documents and Settings\Duy Vuong\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/18 17:56:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/11/17 16:25:55 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\ntiembed.dll
[2004/11/17 16:25:31 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2004/11/17 16:23:02 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2004/11/17 16:23:02 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK32.dll
[2004/10/29 14:14:57 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2004/10/27 18:54:31 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\property.dll
[2004/10/27 18:26:23 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/22 17:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2004/08/10 16:52:10 | 000,001,230 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/09/30 21:52:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/12/05 16:51:00 | 000,059,392 | R--- | C] () -- C:\WINDOWS\streamhlp.dll
[2001/12/26 19:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 02:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 19:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 01:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== LOP Check ==========

[2007/12/26 20:10:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2005/10/15 01:34:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2006/04/04 14:25:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2006/08/29 13:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2009/04/09 21:02:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2005/08/01 10:32:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\wsxs
[2009/05/31 12:48:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\.BitTornado
[2007/12/26 20:11:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\Grisoft
[2007/01/01 03:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\ICQ Toolbar
[2006/01/06 08:17:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\ICQLite
[2005/01/07 14:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\InterTrust
[2006/04/04 03:15:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\pdf995
[2006/08/29 13:47:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\PlayFirst
[2006/04/11 14:04:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Duy Vuong\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/16 18:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/09/16 18:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/16 18:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/09/16 18:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 05:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/01/05 05:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/10/27 11:08:33 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/10/27 11:08:33 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/10/27 11:08:33 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


Extras.txt:

OTL Extras logfile created on: 03/03/2010 10:16:03 PM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

479.00 Mb Total Physical Memory | 104.00 Mb Available Physical Memory | 22.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 0.59 Gb Free Space | 0.79% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GORDON
Current User Name: Duy Vuong
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = Google Gmail Notifier
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{228F6876-A313-40A3-91C0-C3CBE6997D09}" = Symantec
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}" = Internet Worm Protection
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}" = Norton AntiVirus Help
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{536F7C74-844B-4683-B0C5-EA39E19A6FE3}" = Microsoft AntiSpyware
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7169B8E4-2632-46B1-AA5F-167CB5FE5029}" = Symantec Network Drivers Update
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{93884E34-FD8F-46A9-A4D4-402868A5D51F}_is1" = CopyToDVD
"{93E68360-948C-4980-8E13-EF881161FC96}" = NTI CD-Maker Gold Update
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2005
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}" = Norton AntiVirus SYMLT MSI
"{D327AFC9-7BAA-473A-8319-6EB7A0D40138}" = Symantec Script Blocking Installer
"{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}" = ccCommon
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton AntiVirus Parent MSI
"{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02
"{F64306A5-4C32-41bb-B153-53986527FAB4}" = Norton WMI Update
"AC3Filter" = AC3Filter (remove only)
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Ad-Aware SE Professional" = Ad-Aware SE Professional
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AnalogX MaxMem" = AnalogX MaxMem
"ATMA V" = ATMA V 5.05
"AVGAntiSpyware75" = AVG Anti-Spyware 7.5
"BitTornado" = BitTornado 0.3.9
"BSPlayer1" = BSPlayer
"CCleaner" = CCleaner (remove only)
"CleanUp!" = CleanUp!
"CoreVorbis Audio Decoder" = CoreVorbis Audio Decoder (remove only)
"Dangerous Mines Lite" = Dangerous Mines Lite
"Diablo II" = Diablo II
"DMVLite" = DMVlite
"DVD X Rescue" = DVD X Rescue
"ERUNT_is1" = ERUNT 1.1j
"ewidosecuritysuite" = ewido security suite
"ffdshow" = ffdshow
"FLAC" = FLAC Installer 1.1.2a (remove only)
"FLV Player" = FLV Player 2.0 (build 25)
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"ICQLite" = ICQ 5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IGN Download Manager" = IGN Download Manager 2.1.1
"InCD!UninstallKey" = InCD
"Indeo® Software" = Indeo® Software
"InstallShield_{93E68360-948C-4980-8E13-EF881161FC96}" = NTI CD-Maker Gold
"Java Web Start" = Java Web Start
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"MSN Toolbar" = MSN Toolbar
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Netscape (7.2)" = Netscape (7.2)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Panda ActiveScan" = Panda ActiveScan
"Pdf995" = Pdf995
"QuickTime" = QuickTime
"RealAlt_is1" = Real Alternative 1.39
"Registry Mechanic_is1" = Registry Mechanic 5.0
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SymSetup.{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2005 (Symantec Corporation)
"System Requirements Lab" = System Requirements Lab
"TK3 Reader" = TK3 Reader
"ToolbarICQToolbar.ICQToolbarObjectIEToolbar" = ICQ Toolbar
"TorrentStorm" = TorrentStorm
"TrojanHunter_is1" = TrojanHunter 4.2
"VLC media player" = VideoLAN VLC media player 0.8.5
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"X-Com UFO Defense" = X-Com UFO Defense
"XviD_is1" = XviD MPEG-4 Video Codec

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"burst" = burst! v3.1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/02/2009 10:57:26 PM | Computer Name = GORDON | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16762, faulting
module mshtml.dll, version 7.0.6000.16788, fault address 0x0019340e.

Error - 02/04/2009 12:05:42 AM | Computer Name = GORDON | Source = Application Error | ID = 1000
Description = Faulting application ccapp.exe, version 103.0.3.8, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x000109f9.

Error - 07/04/2009 10:07:53 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6850.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 19/04/2009 3:50:23 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application msnmsgr.exe, version 8.1.178.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 22/04/2009 5:45:03 PM | Computer Name = GORDON | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x00077650.

Error - 24/04/2009 10:41:14 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 24/04/2009 10:41:14 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 24/04/2009 10:41:14 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/04/2009 12:27:29 AM | Computer Name = GORDON | Source = Application Error | ID = 1000
Description = Faulting application ccapp.exe, version 103.0.3.8, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00010ed2.

Error - 20/05/2009 2:52:36 PM | Computer Name = GORDON | Source = Application Hang | ID = 1002
Description = Hanging application msnmsgr.exe, version 8.1.178.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 03/03/2010 7:36:17 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7034
Description = The AVG Anti-Spyware Guard service terminated unexpectedly. It has
done this 1 time(s).

Error - 03/03/2010 7:36:17 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7034
Description = The ewido security suite control service terminated unexpectedly.
It has done this 1 time(s).

Error - 03/03/2010 7:36:17 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7034
Description = The Norton AntiVirus Firewall Monitor Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 03/03/2010 7:36:17 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7034
Description = The Symantec Core LC service terminated unexpectedly. It has done
this 1 time(s).

Error - 03/03/2010 7:36:18 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7034
Description = The InCD Helper service terminated unexpectedly. It has done this
1 time(s).

Error - 03/03/2010 7:42:53 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 03/03/2010 10:51:53 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 03/03/2010 10:51:53 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
uagp35

Error - 03/03/2010 11:03:21 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2

Error - 03/03/2010 11:09:21 PM | Computer Name = GORDON | Source = Service Control Manager | ID = 7000
Description = The PnkBstrA service failed to start due to the following error: %%2


< End of report >
  • 0

Advertisements


#2
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi Cycloman,

Welcome to Geeks To Go!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.
As it has been a few days, I'm going to need some fresh logs. Please run the following:

STEP 1 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

  • Open OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Change the Standard Registry and Extra Registry options to Use Safelist.
  • Check the boxes beside LOP Check and Purity Check.
  • In the Custom Scans box, copy and paste the following:
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • OTL Log
  • GMER Log

  • 0

#3
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for replying and giving me assistance, mpascal. As you have asked, I re-ran MBAM, OTL, and GMER. MBAM and OTL ran normally and I have pasted the log files generated by these programs below.

Like I described in my original post, once again, GMER does not run, and I can therefore not generate a log file for it. I even tried all of your suggestions to run GMER - first, I downloaded the randomly named file from the main mirror, then I turned off all the real time protection/anti-virus programs, and disconnected the ethernet cable so as to not been connected to the internet. When I double-clicked the randomly named file, the scan launches as soon as the program opens. I tried unchecking the Devices box as soon as the program launched and began scanning, but it's always too late - within seconds, the program crashes "has encountered an error and needs to close". It never actually gets to the "Warning - Root Kit activity" message before it crashes - after the crash, my computer immediately reboots - sometimes I am able to click the "OK" button before it reboots, and sometimes it reboots before I even have a chance to do that. After trying it 4 times, I'm tired of having my PC just reboot constantly. Do you have an alternative to GMER that you can suggest? Because it's simply not working. Between my original post and this one, I've had my computer reset on me 10 different times when I try to run GMER.

Thank you! Your help is much appreciated.
  • 0

#4
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Instead of GMER, give this program a shot.

Download RootRepeal from one of the following locations and save it to your desktop:Link 1.
Link 2
Link 3
  • Double click Posted Image to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Posted Image button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    Note: The scan can take some time. DO NOT run any other programs while the scan is running

  • When the scan is complete, click the Posted Image button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#5
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks mpascal! Here is the log file generated by RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/19 02:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF744B000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7493000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF27D6000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF6297000 Size: 2278784 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7B20000 Size: 3072 File Visible: - Signed: -
Status: -

Name: AvgAsCln.sys
Image Path: C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys
Address: 0xF7BAB000 Size: 3968 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7A5E000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7918000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7758000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7608000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CDRPDACC.SYS
Image Path: C:\Program Files\321Studios\Shared\CDRPDACC.SYS
Address: 0xF7A46000 Size: 4800 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7558000 Size: 53248 File Visible: - Signed: -
Status: -

Name: d347bus.sys
Image Path: d347bus.sys
Address: 0xF74C1000 Size: 155136 File Visible: - Signed: -
Status: -

Name: d347prt.sys
Image Path: d347prt.sys
Address: 0xF7A0C000 Size: 5248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7548000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7628000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2113000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A8A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF292A000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B46000 Size: 4096 File Visible: - Signed: -
Status: -

Name: enodpl.sys
Image Path: C:\WINDOWS\System32\drivers\enodpl.sys
Address: 0xF7A48000 Size: 7552 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF16BC000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF7850000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76D8000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF7888000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7413000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A5C000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7463000 Size: 125056 File Visible: - Signed: -
Status: -

Name: guard.sys
Image Path: C:\Program Files\ewido\security suite\guard.sys
Address: 0xF7BDF000 Size: 3072 File Visible: - Signed: -
Status: -

Name: guard.sys
Image Path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Address: 0xF7BBC000 Size: 4096 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF6537000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7898000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF79D4000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF0D4E000 Size: 265728 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7648000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF75F8000 Size: 42112 File Visible: - Signed: -
Status: -

Name: InCDfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\InCDfs.SYS
Address: 0xF28E5000 Size: 99456 File Visible: - Signed: -
Status: -

Name: InCDPass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\InCDPass.sys
Address: 0xF7828000 Size: 28928 File Visible: - Signed: -
Status: -

Name: InCDrec.SYS
Image Path: C:\WINDOWS\System32\Drivers\InCDrec.SYS
Address: 0xF79B4000 Size: 8704 File Visible: - Signed: -
Status: -

Name: incdrm.SYS
Image Path: C:\WINDOWS\System32\Drivers\incdrm.SYS
Address: 0xF7830000 Size: 27776 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF75E8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF21EE000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF28D2000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7508000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7858000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A08000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF1569000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF64C4000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73EA000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mc21.tmp
Image Path: C:\DOCUME~1\DUYVUO~1\LOCALS~1\Temp\mc21.tmp
Address: 0xF7B49000 Size: 2560 File Visible: No Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7A60000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7878000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF61A5000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7518000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xF1BEE000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF212B000 Size: 455424 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF78A8000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7688000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF72E6000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7316000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NAVENG.Sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060104.006\NAVENG.Sys
Address: 0xF16E0000 Size: 72064 File Visible: - Signed: -
Status: -

Name: NavEx15.Sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060104.006\NavEx15.Sys
Address: 0xF16F2000 Size: 745152 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7330000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7A04000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF1FFB000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6224000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF76B8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF6577000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF27F8000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF78B0000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF735D000 Size: 574976 File Visible: - Signed: -
Status: -

Name: NTIDrvr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
Address: 0xF7A2A000 Size: 6912 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7BAA000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF623B000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF7790000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7482000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7AD0000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7788000 Size: 28672 File Visible: - Signed: -
Status: -

Name: Pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\Pcouffin.sys
Address: 0xF7698000 Size: 34528 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF79EC000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6273000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6213000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF7868000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7798000 Size: 19392 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF79B8000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF7658000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF7668000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7678000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7870000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF21C3000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7A62000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7618000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0897000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF78B8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xF77D8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xF6567000 Size: 49152 File Visible: - Signed: -
Status: -

Name: SAVRT.SYS
Image Path: C:\Program Files\Norton AntiVirus\SAVRT.SYS
Address: 0xF17A8000 Size: 356352 File Visible: - Signed: -
Status: -

Name: SAVRTPEL.SYS
Image Path: C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
Address: 0xF27C3000 Size: 77824 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF7433000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xF1C8B000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF7A00000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF7638000 Size: 64512 File Visible: - Signed: -
Status: -

Name: SISAGPX.sys
Image Path: SISAGPX.sys
Address: 0xF7578000 Size: 36992 File Visible: - Signed: -
Status: -

Name: sisgrp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sisgrp.sys
Address: 0xF64FB000 Size: 245760 File Visible: - Signed: -
Status: -

Name: SiSGRV.dll
Image Path: C:\WINDOWS\System32\SiSGRV.dll
Address: 0xBF9D6000 Size: 1167360 File Visible: - Signed: -
Status: -

Name: sisnicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
Address: 0xF7848000 Size: 32768 File Visible: - Signed: -
Status: -

Name: SiSRaid.sys
Image Path: SiSRaid.sys
Address: 0xF7538000 Size: 46464 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7401000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF1A7F000 Size: 353792 File Visible: - Signed: -
Status: -

Name: srvkp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srvkp.sys
Address: 0xF79C4000 Size: 12928 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7A34000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xF2820000 Size: 98880 File Visible: - Signed: -
Status: -

Name: symlcbrd.sys
Image Path: C:\WINDOWS\system32\drivers\symlcbrd.sys
Address: 0xF78C8000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xF2839000 Size: 261088 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF19FF000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tandpl.sys
Image Path: C:\WINDOWS\System32\drivers\tandpl.sys
Address: 0xF7A5A000 Size: 4736 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF2879000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7860000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76A8000 Size: 40704 File Visible: - Signed: -
Status: -

Name: uagp35.sys
Image Path: uagp35.sys
Address: 0xF7568000 Size: 44672 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF61B5000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7A3C000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7840000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF65A7000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7838000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF624F000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF78D0000 Size: 26368 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF78A0000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF64E7000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7528000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF6547000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF77C0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF15B7000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7A0A000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
  • 0

#6
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi Cycloman,

Can you post that MBAM log from a few days ago. Also run the following.

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.

  • 0

#7
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks mpascal.

Here is the MBAM log from March 17th:

Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

17/03/2010 1:54:03 AM
mbam-log-2010-03-17 (01-54-03).txt

Scan type: Quick Scan
Objects scanned: 140559
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL only produced an OTL.txt log, but no Extras.txt file was created. Here is the OTL.txt output:

OTL logfile created on: 20/03/2010 3:20:03 AM - Run 3
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

479.00 Mb Total Physical Memory | 110.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 0.22 Gb Free Space | 0.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 480.69 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GORDON
Current User Name: Duy Vuong
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (GRISOFT s.r.o.)
PRC - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (GRISOFT s.r.o.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
PRC - C:\Program Files\Ahead\InCD\incdsrv.exe (Nero AG)
PRC - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (Symantec Corporation)
PRC - C:\Program Files\ewido\security suite\ewidoctrl.exe (ewido networks)
PRC - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (Symantec Corporation)
PRC - C:\Program Files\Norton AntiVirus\navapsvc.exe (Symantec Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\TrojanHunter 4.2\THSec.dll ()


========== Win32 Services (SafeList) ==========

SRV - (PnkBstrA) -- File not found
SRV - (AVG Anti-Spyware Guard) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (GRISOFT s.r.o.)
SRV - (usnjsvc) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (ewido security suite guard) -- C:\Program Files\ewido\security suite\ewidoguard.exe (ewido networks)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
SRV - (InCDsrv) -- C:\Program Files\Ahead\InCD\incdsrv.exe (Nero AG)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (ccPwdSvc) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation)
SRV - (ewido security suite control) -- C:\Program Files\ewido\security suite\ewidoctrl.exe (ewido networks)
SRV - (SNDSrvc) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (Symantec Corporation)
SRV - (NPFMntor) -- C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (Symantec Corporation)
SRV - (navapsvc) -- C:\Program Files\Norton AntiVirus\navapsvc.exe (Symantec Corporation)
SRV - (SBService) -- C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe (Symantec Corporation)
SRV - (SAVScan) -- C:\Program Files\Norton AntiVirus\SAVScan.exe (Symantec Corporation)
SRV - (SPBBCSvc) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)


========== Driver Services (SafeList) ==========

DRV - (SYMIDSCO) -- C:\Program Files\Common Files\Symantec Shared\SymcData\ids-diskless\20100224.001\SymIDSCo.sys (Symantec Corporation)
DRV - (SDTHOOK) -- C:\WINDOWS\system32\drivers\SDTHOOK.SYS (Panda Software)
DRV - (AVG Anti-Spyware Driver) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ()
DRV - (AvgAsCln) -- C:\WINDOWS\system32\drivers\AvgAsCln.sys (GRISOFT, s.r.o.)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ()
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys ()
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (SuperAdBlocker, Inc.)
DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060104.006\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060104.006\NAVENG.SYS (Symantec Corporation)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\incdfs.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\incdpass.sys (Nero AG)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDrm.sys (Nero AG)
DRV - (ewido security suite driver) -- C:\Program Files\ewido\security suite\guard.sys ()
DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (SiSRaid) -- C:\WINDOWS\system32\DRIVERS\SiSRaid.sys (Silicon Integrated Systems)
DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMIDS) -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS (Symantec Corporation)
DRV - (SYMNDIS) -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS (Symantec Corporation)
DRV - (SYMFW) -- C:\WINDOWS\System32\Drivers\SYMFW.SYS (Symantec Corporation)
DRV - (SYMDNS) -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS (Symantec Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (d347prt) -- C:\WINDOWS\System32\Drivers\d347prt.sys ( )
DRV - (d347bus) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys ( )
DRV - (SAVRTPEL) -- C:\Program Files\Norton AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (SAVRT) -- C:\Program Files\Norton AntiVirus\savrt.sys (Symantec Corporation)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (SISNICXP) -- C:\WINDOWS\system32\drivers\sisnicxp.sys (SiS Corporation)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (CDRPDACC) -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS (Arrowkey)
DRV - (SISAGP) -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (tandpl) -- C:\WINDOWS\system32\drivers\tandpl.sys ()
DRV - (enodpl) -- C:\WINDOWS\system32\drivers\enodpl.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2007/02/14 02:04:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2009/01/08 01:31:24 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2007/12/26 21:04:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (MSNToolBandBHO) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (ICQ Toolbar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
O3 - HKLM\..\Toolbar: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu63\toolbaru.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (GRISOFT s.r.o.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [RegistryMechanic] File not found
O4 - HKLM..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe (Mischel Internet Security)
O4 - HKCU..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe (IGN Entertainment)
O4 - HKCU..\Run: [PowerBar] C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe (Cyberlink, Corp.)
O4 - HKCU..\Run: [Sonic RecordNow!] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O8 - Extra context menu item: &ICQ Toolbar Search - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (ICQ Ltd.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} http://zone.msn.com/...eb.1.0.0.17.cab (CPlayFirstChocolatieControl Object)
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/...nx.1.0.0.87.cab (CPlayFirstTriJinxControl Object)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplane...C_2.3.9.113.cab (CDownloadCtrl Object)
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} http://zone.msn.com/...pcaploader1.cab (PopCapLoaderCtrl Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/...mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoft...free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://zone.msn.com/...undLauncher.cab (AstoundLauncher Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} http://zone.msn.com/...inematycoon.cab (TikGames Online Control)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINDOWS\System32\wzcdlg.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - C:\Program Files\ewido\security suite\shellhook.dll ()
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {9EF34FF2-3396-4527-9D27-04C8C1C67806} - C:\Program Files\Microsoft AntiSpyware\shellextension.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/05/18 14:54:20 | 000,061,440 | R--- | M] () - F:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2003/02/12 03:01:48 | 000,000,050 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell - "" = AutoRun
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell\AutoRun\command - "" = F:\autoplay.exe -- [2003/05/18 14:54:20 | 000,061,440 | R--- | M] ()
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell - "" = AutoRun
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/11/20 01:23:22 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/03 22:05:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Duy Vuong\Application Data\Malwarebytes
[2010/03/03 22:05:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/03 22:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/03 22:05:48 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/03 22:05:48 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/03 22:03:39 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/03 19:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Duy Vuong\Desktop\Spyware removal
[2008/09/16 20:23:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/02/08 21:49:13 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2005/02/08 21:49:13 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2005/01/07 14:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2004/10/27 19:18:17 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/10/27 19:18:16 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/10/27 19:18:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2 C:\Documents and Settings\Duy Vuong\My Documents\*.tmp files -> C:\Documents and Settings\Duy Vuong\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/20 03:10:01 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/20 03:08:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/20 03:08:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/20 03:08:16 | 502,845,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/19 02:46:17 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Duy Vuong\NTUSER.DAT
[2010/03/19 02:46:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Duy Vuong\ntuser.ini
[2010/03/15 01:28:29 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/15 01:28:29 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/15 01:28:28 | 000,355,944 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 23:44:00 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2010/03/14 17:09:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/05 21:00:00 | 000,000,538 | ---- | M] () -- C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Duy Vuong.job
[2010/03/03 22:05:54 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2 C:\Documents and Settings\Duy Vuong\My Documents\*.tmp files -> C:\Documents and Settings\Duy Vuong\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/03 22:05:54 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2007/10/28 15:37:35 | 000,022,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2006/09/20 16:03:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/04/04 04:15:36 | 000,000,049 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2006/04/04 04:15:11 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2006/04/04 02:48:46 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2006/04/04 02:48:45 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2005/09/19 19:01:53 | 000,049,540 | ---- | C] () -- C:\WINDOWS\rxvcrt.dll
[2005/08/09 20:00:06 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/08/06 17:45:25 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2005/08/03 06:40:16 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2005/08/03 00:20:51 | 000,000,679 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2005/04/25 13:13:46 | 000,000,363 | ---- | C] () -- C:\WINDOWS\ubber60.ini
[2005/03/31 00:58:59 | 000,000,155 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/03/14 21:02:41 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2005/02/24 12:56:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/02/08 22:30:46 | 000,007,552 | ---- | C] () -- C:\WINDOWS\System32\drivers\enodpl.sys
[2005/02/08 22:30:44 | 000,004,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\tandpl.sys
[2005/01/30 20:53:53 | 000,000,045 | ---- | C] () -- C:\WINDOWS\DCJGENLI.ini
[2005/01/16 12:49:50 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2005/01/16 12:47:48 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2005/01/10 17:51:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/01/07 16:04:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/01/07 15:33:09 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2005/01/07 15:01:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/07 14:03:22 | 000,171,008 | ---- | C] () -- C:\Documents and Settings\Duy Vuong\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/18 18:56:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/11/17 17:25:55 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\ntiembed.dll
[2004/11/17 17:25:31 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2004/11/17 17:23:02 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2004/11/17 17:23:02 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK32.dll
[2004/10/29 15:14:57 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2004/10/27 19:54:31 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\property.dll
[2004/10/27 19:26:23 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/08/22 18:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2004/08/10 17:52:10 | 000,001,230 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/09/30 22:52:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2002/12/05 17:51:00 | 000,059,392 | R--- | C] () -- C:\WINDOWS\streamhlp.dll
[2001/12/26 20:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 03:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 20:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 02:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/16 19:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2008/09/16 19:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/16 19:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2008/09/16 19:50:03 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2010/01/05 06:00:20 | 000,347,136 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2010/01/05 06:00:21 | 000,214,528 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/10/27 12:08:33 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/10/27 12:08:33 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/10/27 12:08:33 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

Thanks for your help!
  • 0

#8
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi Cycloman,

STEP 1 - OTL Fix

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    :OTL
    O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell - "" = AutoRun
    O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\Shell\AutoRun\command - "" = F:\autoplay.exe -- [2003/05/18 14:54:20 | 000,061,440 | R--- | M] ()
    O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell - "" = AutoRun
    O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
    [2005/09/19 19:01:53 | 000,049,540 | ---- | C] () -- C:\WINDOWS\rxvcrt.dll
    [2005/01/30 20:53:53 | 000,000,045 | ---- | C] () -- C:\WINDOWS\DCJGENLI.ini
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • Kaspersky Log

  • 0

#9
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks mpascal.

My computer seems to be having problems running the Kaspersky scan. It updates the database and I run the scan, but it stalls about 25-30 mins (around 20% of scan complete) in the scan - the timer stops counting, and it doesn't continue scanning files. I've run it twice so far in Internet Explorer and this keeps happening. I'm going to try it in Firefox tomorrow and report back to you.

For now, I've pasted the OTL log after the fixes, and the MBAM scan log below. I'll post the Kaspersky log (if I can get it to work in Firefox) tomorrow.

Thank you again!

OTL log:

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ba12116-d05f-11dc-aa1e-000fea5c60ec}\ not found.
File G:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f8f7f06-7a3f-11d9-a8cc-806d6172696f}\ not found.
File move failed. F:\autoplay.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba64d088-ac94-11de-aa7c-000fea5c60ec}\ not found.
File G:\LaunchU3.exe not found.
C:\WINDOWS\rxvcrt.dll moved successfully.
C:\WINDOWS\DCJGENLI.ini moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Duy Vuong
->Temp folder emptied: 1975412 bytes
->Temporary Internet Files folder emptied: 106042859 bytes
->Flash cache emptied: 5305 bytes

User: Gordon Vuong
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 103.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03232010_005716

Files\Folders moved on Reboot...
File move failed. F:\autoplay.exe scheduled to be moved on reboot.
C:\Documents and Settings\Duy Vuong\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File\Folder C:\Documents and Settings\Duy Vuong\Local Settings\Temp\~DF63EF.tmp not found!
File\Folder C:\Documents and Settings\Duy Vuong\Local Settings\Temp\~DF63FC.tmp not found!
C:\Documents and Settings\Duy Vuong\Local Settings\Temporary Internet Files\Content.IE5\ZLUHOLSW\Email-hacked-possible-malware-system-t270286[1].htm moved successfully.
C:\Documents and Settings\Duy Vuong\Local Settings\Temporary Internet Files\Content.IE5\AKEXLOVG\iframe[1].htm moved successfully.
C:\Documents and Settings\Duy Vuong\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3902
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

23/03/2010 1:21:23 AM
mbam-log-2010-03-23 (01-21-23).txt

Scan type: Quick Scan
Objects scanned: 143963
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#10
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi,

Don't worry about the Kaspersky scan, just run this tool instead.

Download Dr.Web CureIt to the desktop.
  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
  • 0

#11
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks mpascal.

I ran both the short scan & complete scan in Dr. Web. Here is the log file that was created by the complete scan (Dr.Web.csv).

Thank you!

Dr.Web.csv:

Stdio.dll;C:\FTP\mIRC\Invision;IRC.Flood;Deleted.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
00AE786F;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
00B2226B.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.nCase;Incurable.Moved.;
00B54C67;C:\Program Files\Norton AntiVirus\Quarantine;Adware.nCase;Incurable.Moved.;
00B54C67.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
00B87664.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
00BB2060.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
00BF4A5D.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00C27459.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00C35965.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00C51E55.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00C84852.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00CC724E.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00CF1C4B.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00D24647.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00D67043.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00D91A40.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Moved.;
00D91A40.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
00DC443C.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Delfin.origin;Incurable.Moved.;
00DF6E39.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
00E31835.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Pynix;Incurable.Moved.;
00E31835.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Delfin;Incurable.Moved.;
013F1613.ocx;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1639;Deleted.;
01781145.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
01CF1FE0.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
06100582.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
06484430.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
0CD05211.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
0D094D44.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
0D5F5BDE.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
0D68162C;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
0F1E10FB.exe;C:\Program Files\Norton AntiVirus\Quarantine;BackDoor.Generic.665;Deleted.;
115C41A6;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos.69;Incurable.Moved.;
11A04180.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.PowerScan;Incurable.Moved.;
169D231B.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
16DB3DE2.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
18990942.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
18F017DD.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
1B3C0D3F.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
1CEC7DA5.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.MulDrop.2192;Incurable.Moved.;
1D5273AC.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Linker;Incurable.Moved.;
1D967387.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
24294541.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.nCase;Incurable.Moved.;
24564016;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
24564016.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.MediaMotor;Incurable.Moved.;
248053DB.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
24C21685.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
24DD4712.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
290D68BC.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
29272F85.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.214;Deleted.;
29533A89.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
29566485.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
295A0E81.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
295D387E.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
2960627A.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
29630C77.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
29673673.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
296A6070.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
296D0A6C.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
29713468.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.nCase;Incurable.Moved.;
2E923A26.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.338;Deleted.;
2FE77C15;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
30207747.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
302E3AB8.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
34B76B84.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Dyfuca;Deleted.;
35B32583.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.AproposAd;Deleted.;
36920CB7.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Linker;Incurable.Moved.;
36A716A7.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
36A9329E;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos.69;Incurable.Moved.;
36AC5C9A;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
36B00696;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
36B00696.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.AproposAd;Deleted.;
36B33093.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.AproposAd;Deleted.;
36B33093.ocx;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.origin;Incurable.Moved.;
36C1668A;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
36C41086.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
36CE0E7C.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Moved.;
36D13878.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Winad;Incurable.Moved.;
36D46274.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Admilli;Incurable.Moved.;
3B541B94.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.nCase;Incurable.Moved.;
3B773814.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
3BB03346.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
3C0741E0.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
40472782.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SurfAcc;Incurable.Moved.;
4607046D.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
47077412.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Surfside;Incurable.Moved.;
47416F44.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
47977DDF.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
49111135.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SAHAgent;Incurable.Moved.;
4A382617.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1518;Deleted.;
4D285669.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
50564537.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Exact;Incurable.Moved.;
51587813.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
52D12B43.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
532839DE.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
57241FA5;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
57241FA5.exe;C:\Program Files\Norton AntiVirus\Quarantine;BackDoor.Generic.665;Deleted.;
57681F80.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.294;Deleted.;
5D2D7DF6;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
5E2C4DEE.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
5E616742.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
5E8E6217;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
5EB875DC.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
613A69C1.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
613D13BE.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Exact;Incurable.Moved.;
61413DBA.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Swizzor;Deleted.;
614467B6.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.260;Deleted.;
614711B3.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Dyfuca;Deleted.;
614711B3.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Dyfuca;Deleted.;
614711B3.srg;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Exact;Incurable.Moved.;
614711B3.tcf;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Dyfuca;Deleted.;
614711B3.vxd;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
614A3BAF.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
614E65AC.dd2;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SurfAcc;Incurable.Moved.;
614E65AC.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SurfAcc;Incurable.Moved.;
61510FA8.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
61510FA8.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
61510FA8.tcf;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
615439A4.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
615439A4.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
615763A1.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SideFind;Incurable.Moved.;
615B0D9D.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.294;Deleted.;
63405E9B.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Isbar.338;Deleted.;
635F5186.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Exact;Incurable.Moved.;
644B293F.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.SAHAgent;Incurable.Moved.;
651E06D6;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
66396B9F;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Egive;Incurable.Moved.;
664443E9;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
69F22340.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1631;Deleted.;
6A1F1E16.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
6A4831DB.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
70702917;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
70735313;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
70735313.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.MediaMotor;Incurable.Moved.;
70777D0F.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
707A270C;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
707D5108.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.466;Deleted.;
70817B05.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
70842501.ocx;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.DownLoader.1639;Deleted.;
70842501.srg;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
70842501.vxd;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
70874EFD.dll;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Dyfuca;Deleted.;
708A78FA.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Click.240;Deleted.;
757265C0.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
75825F3F.dll;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Websearch;Incurable.Moved.;
75AE506C;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
75AF5A14.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.BargainBuddy;Incurable.Moved.;
75E85547.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
78A1548E.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Exact;Incurable.Moved.;
79A2076A.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
7A7F4983.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.PowerScan;Incurable.Moved.;
7C9337BC.exe;C:\Program Files\Norton AntiVirus\Quarantine;Trojan.Stubby;Deleted.;
7E8A54C0.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Apropos;Incurable.Moved.;
7F287235.exe;C:\Program Files\Norton AntiVirus\Quarantine;Adware.Surfside;Incurable.Moved.;
A0132360.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;IRC.Flood;Deleted.;
A0132361.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132362.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132363.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132364.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132365.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132366.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132367.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132368.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132369.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132370.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132371.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132372.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132373.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132374.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132375.ocx;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1639;Deleted.;
A0132376.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132377.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132378.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132379.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132380.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;BackDoor.Generic.665;Deleted.;
A0132381.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132382.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132383.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132384.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.MulDrop.2192;Incurable.Moved.;
A0132385.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Linker;Incurable.Moved.;
A0132386.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132387.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132388.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132389.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.214;Deleted.;
A0132390.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132391.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132392.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132393.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132394.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132395.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132396.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132397.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132398.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132399.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.338;Deleted.;
A0132400.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132401.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132402.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Dyfuca;Deleted.;
A0132403.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.AproposAd;Deleted.;
A0132404.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Linker;Incurable.Moved.;
A0132405.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.AproposAd;Deleted.;
A0132406.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.AproposAd;Deleted.;
A0132407.ocx;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.origin;Incurable.Moved.;
A0132408.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132409.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132410.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132411.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132412.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132413.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1518;Deleted.;
A0132414.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132415.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132416.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132417.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132418.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;BackDoor.Generic.665;Deleted.;
A0132419.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.294;Deleted.;
A0132420.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132421.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132422.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Swizzor;Deleted.;
A0132423.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.260;Deleted.;
A0132424.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Dyfuca;Deleted.;
A0132425.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Dyfuca;Deleted.;
A0132426.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.294;Deleted.;
A0132427.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Isbar.338;Deleted.;
A0132428.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1631;Deleted.;
A0132429.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132430.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.466;Deleted.;
A0132431.ocx;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.DownLoader.1639;Deleted.;
A0132432.dll;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Dyfuca;Deleted.;
A0132433.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Click.240;Deleted.;
A0132434.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132435.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132436.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
A0132437.exe;C:\System Volume Information\_restore{6ADDDC2E-4D2D-4447-A4CC-8B488D0B4988}\RP1332;Trojan.Stubby;Deleted.;
  • 0

#12
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Everything looks good, are you still having any problems?
  • 0

#13
Cycloman

Cycloman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Not really experiencing any PC problems... I'm just generally paranoid about using my computer now, after my email account got hacked, and wanted to be sure there weren't any trojans/malware/keystroke recorder on my PC.

I use Outlook to access a Hotmail account, and so it remembers my password to access my messages from the Hotmail servers. After a few different friends told me that my account was sending out phishing emails ("I got an iPhone for only $400, click this link to get yours!" type of messages), I immediately changed my email address password, and thought to go to Geeks to Go for scanning advice, in case my computer was also compromised (since I figured that's how the phishing sender got my Hotmail password in the first place). To be safe, I've created a new Gmail account and told people to start emailing me there from now on.

Thanks a lot for all of your help and guidance, mpascal!

Edited by Cycloman, 28 March 2010 - 07:43 PM.

  • 0

#14
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Not a problem, hopefully your email should be safe from now on. I'll now give you some instructions to remove the tools and some advice to prevent future infection.

STEP 1 - Clear Restore Points

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [CLEARALLRESTOREPOINTS]
  • Then click the Run Fix button at the top.
STEP 2 - Remove Tools

Run OTL
  • Click Clean Up in the upper right corner.
  • This will remove most if not all the tools we used while we were fixing your computer. Feel free to delete any others it leaves behind.
Now that you have a clean system, I would like to share with you some advice to help reduce the risk of future infection.

+++++++++++++++++++++++++++++++++++++++++++++++

I recommend that you install both of the following free programs if you haven''t already, as they can greatly increase the security of your system. It is not essential that you have these programs installed, but they do a very good job at preventing infection if your system is scanned regularly.+++++++++++++++++++++++++++++++++++++++++++++++

A good firewall is also useful for keeping a system infection free. You should only have ONE firewall installed on your computer - having more than one will not increase the security of your system. Here is a small list of some free firewallsAn antivirus program is also a program that should be installed on all computers. These will help reduce the risk that your computer gets infected by viruses or trojans in the future. Keep in mind that you only need ONE antivirus program installed on your computer. If you have more than one installed, they can often conflict and leave your system unprotected.Having up to date Antivirus and Firewall software is vital to keeping a healthy, infection free system

+++++++++++++++++++++++++++++++++++++++++++++++

To find out more information on how your system got infected, or how to protect yourself on the internet in the future, this article by Tony Klein provides some great information.

Good luck and safe surfing!

-mpascal
  • 0

#15
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP