View Full Version : XP firewall virus infection
DDS data is at end of post and attached. First is a description of what happened.
Yesterday while I was looking for pictures of an actress I like, I was infected with the XP firewall virus (It seems those sites with pictures of stars are very dangerous) It took over my system and I could not run anything I booted into safe mode admin account (Other accounts could not be accessed as the virus ran in those) I ran spybot and it claimed to remove it along with 2 other things that were probably related. I then ran avira which also found a few things. I cannot find a report in spybot that details what was found and removed. I did find a report inAvira as to what was found and removed. Here is a copy of the pertinent section of that report.
Begin scan in 'C:\'
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
--> Object
[DETECTION] Is the TR/Dropper.Gen Trojan
--> [PluginsDir]/ic1.exe
[DETECTION] Is the TR/Dldr.MSIL.Agent.TJ.1 Trojan
Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFakeAlertttam.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to the quarantine directory under the name '564133c8.qua'.
I am concerned that it found two objects that it did not seem to do anything about.
After running Spybot and Avira I ran malwarebytes which found a registry key involving the windows security and something about disableNotify. Unfortunately Malwarebytes made no log of the session.
All of the above was done in safe mode. When I went back to my regular account the XP firewall virus was still there and prevented use of the system. I then booted back to safe mode and restored the system to a restore point 1 day prior to when the problem started. The restoration worked and I am now able to use the system but am afraid this thing may not be gone. It evaded three different and well recommended anti malware/virus tools. So I think I really need to make sure this thing is gone and do something to prevent it from happening again.
Also, I know we are not supposed to run anti virus fixes before coming here. However, I had to do all the above just to get my system back to be able to come here:(
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 20:20:12.17 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1352 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll
uRun: [TrueCrypt] "c:\program files\truecrypt\TrueCrypt.exe" /q preferences /a logon
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Clearwire Connection Manager] "c:\program files\clearwire\connection manager\ClearwireCM.exe" -a
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html
IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\rv51vow5.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 52323
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-30 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-26 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-26 61960]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-7-15 35088]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SMSI Device Launch Service;Clearwire Device Launch Service;c:\program files\clearwire\connection manager\DeviceLaunchSvc.exe [2009-11-9 107856]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-11 135664]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-10-1 282112]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-10-1 51712]
S3 CLEARWIRERcAppSvc;Clearwire RcAppSvc;c:\program files\clearwire\connection manager\RcAppSvc.exe [2009-11-9 120144]
S3 GSService;GSService;c:\windows\system32\GSService.exe [2011-3-15 122880]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
.
=============== File Associations ===============
.
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-22 00:35:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-21 11:29:50 0 ----a-w- c:\documents and settings\user\ntuser.tmp
2011-03-19 11:01:37 -------- d-----w- c:\docume~1\user\applic~1\Xi
2011-03-19 11:00:58 -------- d-----w- c:\program files\Xi
2011-03-19 05:47:36 49664 ----a-w- c:\windows\system32\CamCodec.dll
2011-03-19 05:47:36 -------- d-----w- c:\program files\CamStudio 2.6b
2011-03-15 06:24:05 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Jaksta_Technologies_Pty_L
2011-03-15 06:22:52 -------- d-----w- c:\docume~1\user\applic~1\Replay Media Catcher 4
2011-03-15 06:22:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Applian
2011-03-15 06:22:44 -------- d-----w- c:\program files\Applian Technologies
2011-03-15 05:51:33 -------- d-----w- c:\windows\SxsCaPendDel
2011-03-15 05:50:35 -------- d-----w- c:\program files\AnyMedia Player
2011-03-15 05:49:09 -------- d-----w- c:\program files\FLVCodec
2011-03-15 05:49:07 7680 ----a-w- c:\windows\system32\ff_vfw.dll
2011-03-15 05:49:06 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2011-03-15 05:49:05 -------- d-----w- c:\program files\ffdshow
2011-03-15 05:48:58 -------- d-----w- c:\program files\WinPcap
2011-03-15 05:48:52 122880 ----a-w- c:\windows\system32\GSService.exe
2011-03-15 05:48:51 -------- d-----w- c:\program files\RipTiger
2011-03-15 05:38:02 -------- d-----w- c:\docume~1\user\applic~1\Foxreal
2011-03-09 11:27:54 -------- d-----w- c:\program files\Fox
.
==================== Find3M ====================
.
2011-03-15 06:19:19 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2011-03-15 06:19:18 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2006-05-03 17:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 18:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 20:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 20:21:20.54 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Lets do a few things
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
When you run Malwarebytes, remove everything thats checked and if Whitesmoke is not checked, check it for removal also
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
There is more to do but dont want to overwhelm you
Thanks the MalwareBytes Log is atached in a zip file. It was too large to post.
It looks like it got rid of white smoke tool bar. Which I did not want and tried to disable and delete. I got it when I downloaded Super 2011 a well recommended multimedia conversion software. I was immediately suspicious when I saw the layout of the web page. It had a style to it that reeked of scam. (Yes you can sometimes tell something is wrong just by the way they laid out the web page). Then the text went on WAY TOO MUCH about how there was no malware or spyware. When someone goes on too much about a quality they or their work possess or does no possess they are almost always lying to themselves and others. (i.e. If you ever hire people and get one that goes on and on about how they are always on time. If you hire them I guarantee they will have a chronic tardiness problem)
After checking around a second time. I downloaded SUPER 2011. It offered to install the well known spyware program real media. I declined the installation and it was not installed. Howerever the annoying toolar whitesmoke was installed. I uninstalled it but it obviously did not go away completely.
There is also some confusion as whitesmoke is also the name of a virus. I am not sure but I think the two are different things. One is a virus the other just another annoying useless toolbar (I hate toolbars!!!!)
SUPER 2011 turned out to be a very useful file conversion program. It is regrettable that the author chooses to distribute it bundled with such questionable products:sad:
Good Morning,
Real Media is spyware also, Whitesmoke is a real nuisance. I saw some things in your DDS log that need to be fixed so lets run this program .
Run ATF Cleaner again to get rid of any things that may be leftover from Whitesmoke that could be in a temp file
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
I ran OTL 2 times and it only gives the OTL.txt and it does not make the extras.txt.
OTL logfile created on: 3/24/2011 10:23:09 AM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\My Documents\Downloads\02
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 27.81 Gb Free Space | 37.32% Space Free | Partition Type: NTFS
Drive E: | 3.81 Gb Total Space | 0.18 Gb Free Space | 4.74% Space Free | Partition Type: FAT32
Computer Name: USER-8E19CF174C | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
PRC - C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\User\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (Applian Technologies, Inc.)
MOD - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (DataSvr2) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (GSService) -- C:\WINDOWS\System32\GSService.exe ()
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
========== Driver Services (SafeList) ==========
DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (OMCI) -- C:\WINDOWS\System32\DRIVERS\OMCI.SYS File not found
DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\System32\DRIVERS\NETw5x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (truecrypt) -- C:\WINDOWS\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (npf) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (appliandMP) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (appliand) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)
DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (regi) -- C:\WINDOWS\system32\drivers\regi.sys (InterVideo)
DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (ULCDRHlp) -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys (Ulead Systems, Inc.)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C D5 24 59 F5 03 CA 01 [binary data]
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
========== FireFox ==========
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52323
FF - prefs.js..network.proxy.type: 0
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
[2010/03/24 17:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/03/23 19:49:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions
[2010/07/08 20:05:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/06 07:24:26 | 000,000,000 | ---D | M] (WhiteSmoke Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}
[2010/08/04 22:20:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/03/23 05:19:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/17 14:14:58 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/04 15:38:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2011/03/16 06:25:57 | 000,430,388 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 14840 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (NXIECatcher Class) - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll (Xi)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (NetXfer) - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (Xi)
O3 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Ask and Record FLV Service] C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = False
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html ()
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 12:17:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/03/24 03:00:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/03/24 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Zombie RoadKill
[2011/03/21 23:19:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\MSDN
[2011/03/21 20:18:00 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/19 06:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\NetXfer
[2011/03/19 06:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Xi
[2011/03/19 06:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\Xi
[2011/03/19 00:47:36 | 000,049,664 | ---- | C] (CamStudio Group) -- C:\WINDOWS\System32\CamCodec.dll
[2011/03/19 00:47:36 | 000,000,000 | ---D | C] -- C:\Program Files\CamStudio 2.6b
[2011/03/15 01:24:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Jaksta_Technologies_Pty_L
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
[2011/03/15 01:22:44 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
[2011/03/15 00:51:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/03/15 00:50:35 | 000,000,000 | ---D | C] -- C:\Program Files\AnyMedia Player
[2011/03/15 00:49:09 | 000,000,000 | ---D | C] -- C:\Program Files\FLVCodec
[2011/03/15 00:49:06 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
[2011/03/15 00:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
[2011/03/15 00:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/03/15 00:48:51 | 000,000,000 | ---D | C] -- C:\Program Files\RipTiger
[2011/03/15 00:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Foxreal
[2011/03/15 00:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxreal
[2011/03/09 06:27:54 | 000,000,000 | ---D | C] -- C:\Program Files\Fox
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/03/24 10:20:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job
[2011/03/24 07:13:32 | 000,169,453 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/23 20:25:46 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\cbyethk.sys
[2011/03/23 19:52:17 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/23 19:52:17 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/23 19:47:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/22 02:41:37 | 000,078,292 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:32:16 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 19:37:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:29 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | M] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:07 | 000,164,429 | ---- | M] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:39 | 000,194,508 | ---- | M] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | M] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | M] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | M] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:55 | 000,756,214 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | M] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/17 22:11:51 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/03/16 06:25:57 | 000,430,388 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/16 03:01:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/15 12:36:34 | 000,188,416 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/15 02:26:04 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Gravity 2.9.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 01:19:19 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2011/03/15 01:19:18 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2011/03/04 08:27:41 | 000,429,882 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110316-062557.backup
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/03/24 07:13:32 | 000,169,453 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/23 20:25:46 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\cbyethk.sys
[2011/03/22 02:41:36 | 000,078,292 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:23:02 | 000,001,035 | ---- | C] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:25:55 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | C] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:06 | 000,164,429 | ---- | C] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:38 | 000,194,508 | ---- | C] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | C] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | C] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | C] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:53 | 000,756,214 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | C] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 00:49:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/03/15 00:48:52 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2011/02/06 07:37:22 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/07/27 00:58:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/15 19:45:44 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/07/13 01:51:24 | 000,002,432 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/10 16:55:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/05/07 00:02:14 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\User\Application Data\default.rss
[2010/05/07 00:02:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Application Data\downloads.m3u
[2010/05/06 23:58:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/12 13:13:25 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/04/04 20:56:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2010/03/31 21:41:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
[2010/03/19 14:51:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/11/06 10:54:46 | 000,188,416 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/03 12:58:02 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2009/05/03 12:17:42 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2009/05/03 10:50:31 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/03 10:50:31 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/03 10:50:30 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/05/03 10:50:29 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/03 10:45:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2009/05/03 05:08:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/09/08 10:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[1998/07/24 00:54:06 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1998/07/15 22:44:30 | 000,134,656 | ---- | C] () -- C:\WINDOWS\System32\itijpg2.dll
========== LOP Check ==========
[2011/03/15 01:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applian
[2010/10/03 17:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Clearwire
[2010/09/30 14:32:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TrueCrypt
[2009/05/04 09:21:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2010/03/18 17:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/05/03 12:17:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
[2010/06/12 22:23:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/04/30 17:38:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/10/02 04:17:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Fudge Muffin\Application Data\Clearwire
[2010/09/29 14:31:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Clearwire
[2011/03/15 00:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Foxreal
[2011/03/24 06:52:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GrabIt
[2010/06/10 21:25:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Gravity
[2011/02/06 01:57:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Gui4Cli
[2010/03/18 21:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\InterVideo
[2011/03/15 01:24:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
[2010/09/30 16:18:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\TrueCrypt
[2010/03/18 17:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Ulead Systems
[2009/05/03 12:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Wave Systems Corp
[2011/03/19 06:01:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Xi
[2011/03/24 10:20:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job
========== Purity Check ==========
< End of report >
OTL logs need some time to look over, in the meantime do this please
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
Here is the ESET log.
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\54\300d4776-2138de16 Win32/Cycbot.AF trojan
I do not know if this information is of any use to you but here it is.
The file mentioned in the ESET log was last updated at the date and time of the attack I initially described.
I looked up Win32/Cycbot.AF trojan and found some info here:
http://www.eset.eu/encyclopaedia/win32-cycbot-af-trojan-scar-drqx-backdoor-gbot-origin
Some registry keys are mentioned. I looked at (but did NOT change) the system registry and the keys mentioned that are used to start the backdoor bot are not present. I am hoping that one of the virus programs I ran to try and get access back to my system or one of the things you had me do deleted these keys and the backdoor was never really opened.
Hi,
Go to your Control Panel and open up Java, you will see an option to clear the Java Cache, do that
http://www.java.com/en/download/help/plugin_cache.xml
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again
c:\windows\system32\GSService.exe
C:\WINDOWS\System32\itijpg2.dll
If the site is busy you can try this one
http://virusscan.jotti.org/en
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
[2011/02/06 07:24:26 | 000,000,000 | ---D | M] (WhiteSmoke Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}
[2011/03/04 08:27:41 | 000,429,882 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110316-062557.backup
:Services
:Reg
:Files
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
VirusTotal logs
File name:
GSService.exe
Submission date:
2011-03-25 11:28:34 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)
Antivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 -
AntiVir 7.11.5.70 2011.03.25 -
Antiy-AVL 2.0.3.7 2011.03.25 -
Avast 4.8.1351.0 2011.03.25 -
Avast5 5.0.677.0 2011.03.25 -
AVG 10.0.0.1190 2011.03.25 -
BitDefender 7.2 2011.03.25 -
CAT-QuickHeal 11.00 2011.03.25 -
ClamAV 0.96.4.0 2011.03.25 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8098 2011.03.25 -
DrWeb 5.0.2.03300 2011.03.25 -
Emsisoft 5.1.0.4 2011.03.25 -
eSafe 7.0.17.0 2011.03.24 -
eTrust-Vet 36.1.8235 2011.03.25 -
F-Prot 4.6.2.117 2011.03.24 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.25 -
GData 21 2011.03.25 -
Ikarus T3.1.1.97.0 2011.03.25 -
Jiangmin 13.0.900 2011.03.25 -
K7AntiVirus 9.94.4211 2011.03.25 -
Kaspersky 7.0.0.125 2011.03.25 -
McAfee 5.400.0.1158 2011.03.25 -
McAfee-GW-Edition 2010.1C 2011.03.25 -
Microsoft 1.6702 2011.03.25 -
NOD32 5984 2011.03.25 -
Norman 6.07.03 2011.03.24 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.24 -
PCTools 7.0.3.5 2011.03.25 -
Prevx 3.0 2011.03.25 -
Rising 23.50.04.05 2011.03.25 -
Sophos 4.64.0 2011.03.25 -
SUPERAntiSpyware 4.40.0.1006 2011.03.25 -
Symantec 20101.3.0.103 2011.03.25 -
TheHacker 6.7.0.1.156 2011.03.24 -
TrendMicro 9.200.0.1012 2011.03.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 -
VBA32 3.12.14.3 2011.03.24 -
VIPRE 8813 2011.03.25 -
ViRobot 2011.3.25.4376 2011.03.25 -
VirusBuster 13.6.268.0 2011.03.24 -
Additional information
Show all
MD5 : f5527be60d0f7e0b3e12abdac3262b5d
SHA1 : 75c4ca70bec9bc44f87b42527e363f8814f49abc
SHA256: f70726dff55d4745ef0bb3a981aebe2bd2a471d6d3f444f92a3781fbcb32d4a8
ssdeep: 1536:4PnkM9gy6EcWou7jpNCW+BhecI6jCAksPC8ZAKwxqsbA5nNS8jiO1khu0Woc2SYY:4kM6y
6EbxgjCAkv8ZAKwzA5NSJOU8ocJ
VirusTotal logs:
File name:
itijpg2.dll
Submission date:
2011-03-25 11:39:07 (UTC)
Current status:
queued (#6) queued (#3) analysing finished
Result:
1/ 41 (2.4%)
ntivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 -
AntiVir 7.11.5.70 2011.03.25 -
Antiy-AVL 2.0.3.7 2011.03.25 -
Avast 4.8.1351.0 2011.03.25 -
Avast5 5.0.677.0 2011.03.25 -
AVG 10.0.0.1190 2011.03.25 -
BitDefender 7.2 2011.03.25 -
CAT-QuickHeal 11.00 2011.03.25 -
ClamAV 0.96.4.0 2011.03.25 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8098 2011.03.25 -
DrWeb 5.0.2.03300 2011.03.25 -
eSafe 7.0.17.0 2011.03.24 -
eTrust-Vet 36.1.8235 2011.03.25 -
F-Prot 4.6.2.117 2011.03.24 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.25 -
GData 21 2011.03.25 -
Ikarus T3.1.1.97.0 2011.03.25 -
Jiangmin 13.0.900 2011.03.25 -
K7AntiVirus 9.94.4211 2011.03.25 -
McAfee 5.400.0.1158 2011.03.25 -
McAfee-GW-Edition 2010.1C 2011.03.25 -
Microsoft 1.6702 2011.03.25 -
NOD32 5984 2011.03.25 -
Norman 6.07.03 2011.03.24 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.24 -
PCTools 7.0.3.5 2011.03.25 -
Prevx 3.0 2011.03.25 -
Rising 23.50.04.05 2011.03.25 -
Sophos 4.64.0 2011.03.25 -
SUPERAntiSpyware 4.40.0.1006 2011.03.25 -
Symantec 20101.3.0.103 2011.03.25 WS.Reputation.1
TheHacker 6.7.0.1.156 2011.03.24 -
TrendMicro 9.200.0.1012 2011.03.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 -
VBA32 3.12.14.3 2011.03.24 -
VIPRE 8813 2011.03.25 -
ViRobot 2011.3.25.4376 2011.03.25 -
VirusBuster 13.6.268.0 2011.03.24 -
Additional information
Show all
MD5 : ac7f590cad75ed93229f61e3f3612d35
SHA1 : c6a162dc714cf32cb769e3bb5241f8570c701507
SHA256: eae0a03bc0428c14f4a1d87cf1e06bdda6b1b3829b05506d7892708a3b500d62
Here is the OTL run fixes log:
All processes killed
========== PROCESSES ==========
========== OTL ==========
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\components folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\searchbar folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\options folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\panels\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\panels folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton\icons folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\weatherbutton folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\uwa folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\radio folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\default folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib\panels folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\lib folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin\icon_library\Basics folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin\icon_library folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin\DTXWizard folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\weather folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\search folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\rss folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data\dynamicElements folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\data folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\js folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.YouTube folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.WebTV folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\js folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Twitter folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin\css folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook\skin folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets\net.vmn.www.Facebook folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\widgets folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\newtab\images folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\newtab folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\modules folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content\lib folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome\content folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889}\chrome folder moved successfully.
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{52794457-af6c-4c50-9def-f2e24f4c8889} folder moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20110316-062557.backup moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Fudge Muffin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 69735750 bytes
->Flash cache emptied: 456 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: User
->Temp folder emptied: 17752 bytes
->Temporary Internet Files folder emptied: 8378903 bytes
->Java cache emptied: 12147831 bytes
->FireFox cache emptied: 111935770 bytes
->Flash cache emptied: 228091 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2195181 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17408 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 880367 bytes
RecycleBin emptied: 70226 bytes
Total Files Cleaned = 196.00 mb
OTL by OldTimer - Version 3.2.17.3 log created on 03252011_065705
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
Here is the OTL scan report:
OTL logfile created on: 3/25/2011 7:08:14 AM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\User\My Documents\Downloads\02
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 27.80 Gb Free Space | 37.30% Space Free | Partition Type: NTFS
Drive E: | 3.81 Gb Total Space | 0.18 Gb Free Space | 4.74% Space Free | Partition Type: FAT32
Computer Name: USER-8E19CF174C | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
PRC - C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
PRC - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Apoint\hidfind.exe (Alps Electric Co., Ltd.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\User\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll (Applian Technologies, Inc.)
MOD - C:\Documents and Settings\User\My Documents\Downloads\02\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (DataSvr2) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (GSService) -- C:\WINDOWS\System32\GSService.exe ()
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (CLEARWIRERcAppSvc) -- C:\Program Files\Clearwire\Connection Manager\RcAppSvc.exe (SmithMicro Inc.)
SRV - (SMSI Device Launch Service) -- C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe ()
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
========== Driver Services (SafeList) ==========
DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (OMCI) -- C:\WINDOWS\System32\DRIVERS\OMCI.SYS File not found
DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\System32\DRIVERS\NETw5x32.sys File not found
DRV - (catchme) -- C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (truecrypt) -- C:\WINDOWS\System32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (npf) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (appliandMP) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (appliand) -- C:\WINDOWS\system32\drivers\appliand.sys (Applian Technologies Inc.)
DRV - (PCTINDIS5) -- C:\WINDOWS\system32\PCTINDIS5.sys (Smith Micro Inc.)
DRV - (bcmbusctr) -- C:\WINDOWS\system32\drivers\BcmBusCtr.sys (Beceem communications pvt ltd.)
DRV - (bcm) -- C:\WINDOWS\system32\drivers\drxvi314.sys (Beceem communications pvt ltd.)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (guardian2) -- C:\WINDOWS\system32\drivers\oz776.sys (O2Micro)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (regi) -- C:\WINDOWS\system32\drivers\regi.sys (InterVideo)
DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (DSproct) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (GTek Technologies Ltd.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (ULCDRHlp) -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys (Ulead Systems, Inc.)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9C D5 24 59 F5 03 CA 01 [binary data]
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.yahoo.com/
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
========== FireFox ==========
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 52323
FF - prefs.js..network.proxy.type: 0
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/15 00:37:45 | 000,000,000 | ---D | M]
[2010/03/24 17:29:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/03/25 07:02:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions
[2010/07/08 20:05:46 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/04 22:20:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\rv51vow5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/03/23 05:19:22 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/17 14:14:58 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/04 15:38:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
O1 HOSTS File: ([2011/03/25 06:57:12 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (NXIECatcher Class) - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll (Xi)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (NetXfer) - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll (Xi)
O3 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Ask and Record FLV Service] C:\Program Files\Replay Media Catcher\FLVSrvc.exe (Applian Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Clearwire Connection Manager] C:\Program Files\Clearwire\Connection Manager\ClearwireCM.exe (ClearwireCM)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1844237615-764733703-682003330-1003..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = False
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1844237615-764733703-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html ()
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/05/03 12:17:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/03/25 06:57:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/03/24 21:06:01 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/24 01:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Zombie RoadKill
[2011/03/21 23:19:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\MSDN
[2011/03/21 20:18:00 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/19 06:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\NetXfer
[2011/03/19 06:01:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Xi
[2011/03/19 06:00:58 | 000,000,000 | ---D | C] -- C:\Program Files\Xi
[2011/03/19 00:47:36 | 000,049,664 | ---- | C] (CamStudio Group) -- C:\WINDOWS\System32\CamCodec.dll
[2011/03/19 00:47:36 | 000,000,000 | ---D | C] -- C:\Program Files\CamStudio 2.6b
[2011/03/15 01:24:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Jaksta_Technologies_Pty_L
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Replay Media Catcher 4
[2011/03/15 01:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Applian
[2011/03/15 01:22:44 | 000,000,000 | ---D | C] -- C:\Program Files\Applian Technologies
[2011/03/15 00:51:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/03/15 00:50:35 | 000,000,000 | ---D | C] -- C:\Program Files\AnyMedia Player
[2011/03/15 00:49:09 | 000,000,000 | ---D | C] -- C:\Program Files\FLVCodec
[2011/03/15 00:49:06 | 000,060,273 | ---- | C] (Open Source Software community project) -- C:\WINDOWS\System32\pthreadGC2.dll
[2011/03/15 00:49:05 | 000,000,000 | ---D | C] -- C:\Program Files\ffdshow
[2011/03/15 00:48:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/03/15 00:48:51 | 000,000,000 | ---D | C] -- C:\Program Files\RipTiger
[2011/03/15 00:40:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Foxreal
[2011/03/15 00:38:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Foxreal
[2011/03/09 06:27:54 | 000,000,000 | ---D | C] -- C:\Program Files\Fox
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/03/25 07:10:00 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D4D1D3B-05AD-4C66-8484-B628F282445D}.job
[2011/03/25 07:03:56 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/25 07:03:56 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/25 06:59:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/25 06:57:12 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/03/25 00:39:43 | 001,107,523 | ---- | M] () -- C:\Documents and Settings\User\My Documents\JENNETTE MCCURDY IN A BIKINI______.flv
[2011/03/25 00:37:08 | 015,759,225 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian _ Billi Bruno.flv
[2011/03/25 00:34:05 | 002,679,590 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_-1.flv
[2011/03/25 00:34:02 | 002,679,590 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_.flv
[2011/03/24 07:13:32 | 000,169,453 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/22 02:41:37 | 000,078,292 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:32:16 | 000,001,035 | ---- | M] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 19:37:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 19:28:24 | 000,015,780 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:29 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | M] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:07 | 000,164,429 | ---- | M] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:39 | 000,194,508 | ---- | M] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | M] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | M] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | M] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | M] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | M] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | M] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:55 | 000,756,214 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | M] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/17 22:11:51 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2011/03/16 03:01:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/15 12:36:34 | 000,188,416 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/15 02:26:04 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Gravity 2.9.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 01:19:19 | 000,156,672 | ---- | M] (Radioactive) -- C:\WINDOWS\System32\rmc_fixasf.exe
[2011/03/15 01:19:18 | 000,237,568 | ---- | M] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[1 C:\Documents and Settings\User\*.tmp files -> C:\Documents and Settings\User\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/03/25 00:39:40 | 001,107,523 | ---- | C] () -- C:\Documents and Settings\User\My Documents\JENNETTE MCCURDY IN A BIKINI______.flv
[2011/03/25 00:34:55 | 015,759,225 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian _ Billi Bruno.flv
[2011/03/25 00:34:03 | 002,679,590 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_-1.flv
[2011/03/25 00:33:58 | 002,679,590 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Taylor Atelian in a bikini - _According To Jim_.flv
[2011/03/24 07:13:32 | 000,169,453 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CartridgeComparison.jpg
[2011/03/22 02:41:36 | 000,078,292 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Icon-Browser-Firefox-Alt2.png
[2011/03/21 23:23:02 | 000,001,035 | ---- | C] () -- C:\Documents and Settings\User\Desktop\FireFox Limited User.lnk
[2011/03/21 20:43:36 | 000,004,372 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Attach.zip
[2011/03/21 20:18:01 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\User\Desktop\NTREGOPT.lnk
[2011/03/21 20:18:01 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\User\Desktop\ERUNT.lnk
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:26:24 | 000,015,780 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\jqf5rg5gw7xl0cc64v108yvr122f6sk8vj25h0eaor
[2011/03/21 06:25:55 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\User\Application Data\902E.36B
[2011/03/21 00:36:55 | 000,107,103 | ---- | C] () -- C:\Documents and Settings\User\My Documents\296021045onLQMT_ph.jpg
[2011/03/21 00:36:06 | 000,164,429 | ---- | C] () -- C:\Documents and Settings\User\My Documents\HunterBagent.jpg
[2011/03/21 00:34:38 | 000,194,508 | ---- | C] () -- C:\Documents and Settings\User\My Documents\shawn_johnson_camp_woodward_09.jpg
[2011/03/21 00:34:07 | 000,051,610 | ---- | C] () -- C:\Documents and Settings\User\My Documents\4-4.jpg
[2011/03/21 00:33:52 | 000,066,039 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CampWoodward.jpg
[2011/03/21 00:33:39 | 000,007,381 | ---- | C] () -- C:\Documents and Settings\User\My Documents\images.jpeg
[2011/03/21 00:32:53 | 000,152,656 | ---- | C] () -- C:\Documents and Settings\User\My Documents\13.jpg
[2011/03/21 00:32:09 | 000,163,825 | ---- | C] () -- C:\Documents and Settings\User\My Documents\11.jpg
[2011/03/20 07:58:21 | 000,221,727 | ---- | C] () -- C:\Documents and Settings\User\My Documents\LWpepperspray.pdf
[2011/03/20 06:25:28 | 000,547,407 | ---- | C] () -- C:\Documents and Settings\User\My Documents\wallpaper_1600x1280_04.jpg
[2011/03/20 04:34:53 | 000,756,214 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Archer - What What Pirate Virus.flv
[2011/03/20 04:32:15 | 000,510,790 | ---- | C] () -- C:\Documents and Settings\User\My Documents\archer-pirate-virus.gif
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Net Transport.lnk
[2011/03/19 06:01:08 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FTP Transport.lnk
[2011/03/15 01:22:48 | 000,001,956 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Replay Media Catcher 4.lnk
[2011/03/15 00:49:07 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/03/15 00:48:52 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2011/02/06 07:37:22 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/07/27 00:58:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/07/15 19:45:44 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/07/13 01:51:24 | 000,002,432 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/10 16:55:39 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/05/07 00:02:14 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\User\Application Data\default.rss
[2010/05/07 00:02:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\Application Data\downloads.m3u
[2010/05/06 23:58:32 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/12 13:13:25 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\rmc_rtspdl.dll
[2010/04/04 20:56:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\syscheck.INI
[2010/03/31 21:41:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PCFriend.INI
[2010/03/19 14:51:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/11/06 10:54:46 | 000,188,416 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/03 12:58:02 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2009/05/03 12:17:42 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\fusioncache.dat
[2009/05/03 10:50:31 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/03 10:50:31 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/03 10:50:30 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/05/03 10:50:29 | 001,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/03 10:45:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2009/05/03 05:08:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/09/08 10:30:44 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[1998/07/24 00:54:06 | 000,083,968 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1998/07/15 22:44:30 | 000,134,656 | ---- | C] () -- C:\WINDOWS\System32\itijpg2.dll
< End of report >
Looks like those two files where ok.
Firefox has a port that it uses but cant find any data on it, are you getting any redirects from Firefox ?
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own folder
Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
1. Click Start > Settings > Control Panel.
2. Double-click the Java Plug-in icon in the control panel.
3. Click the Cache tab.
4. Click Clear A confirmation dialog box appears.
5. Click Yes to confirm.
6. Click Apply.
Ok I installed Java.
The last instructions seem to be for a different OS.
Under XP there is no Start > Settings > Control Panel it is Start > Control Panel.
In control Panel There is no Java Plug-in Icon but there is a Java control Panel icon.
In the Java control panel there is no cache tab but there is
temporary internet files > settings >Delete files.
I went ahead and deleted temporary internet files. Is this what you meant or am I in the wrong place:confused:
Yep, thats fine. Java has different versions and they show up differently on your system
How are things running now ?
Things seem to be fine THANKS:D:
I did notice one thing though.
During the course of this I noticed an entry about the host file in the OTL log.
C:\WINDOWS\system32\drivers\etc\Hosts
I went and looked at the host file with wordpad and noticed it only had the default first entry and nothing more. The host file was last modified during this trouble shooting session. The latest backup was from a month ago.
After finishing your instructions above I checked the host file again and it was still empty except for the default first entry.
I updated firefox and SpyBot and then ran Spybots immunization. I went and looked at the host file again and it was updated, the file size drastically increased and a backup was made by spybot. However I cannot look at it with WordPad like I could before and still can with all the backups. It shows up as a bunch of little squares like a binary file does when looked at in wordpad.
Is this any kind of problem?
I know various security products use the host file to block known attack sites and I have gotten the "Known Attack Site" message a few times in the past year so it has helped avert problems.
I am just hoping I still have that protection.
Your fine, part of the fix we did with OTL reset the hosts file back to Microsoft defaults
http://www.mvps.org/winhelp2002/hosts.htm
From the OTL Fix
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
This means that the hosts file was deleted and then reset back to Microsoft defaults
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Ok I just want to be sure the protections that anti-malware products like spybot have not been lost from the host file. I Assume that any security products that update the host file will eventually put their entries back in.
I would like to ask a few questions if you do not mind and I hope I am not overstepping any boundaries.
Your last post seems to have answered my first question about how to improve my computer security. I will read the links you provided. Thank you.
If TeaTimer had been running would it have possibly prevented the problem?
If I had been using Drop My Rights would it have possibly prevented the problem?
http://msdn.microsoft.com/en-us/library/ms972827.aspx
I used to build my own systems and would like to do so again someday. I used to have a decent amount of computer knowledge (programming, trouble shooting, Installed a few small networks) , however I am very rusty and out of date. The landscape has changed a lot since then and now security on home and small business computers is now of major importance.
I would like to brush up on my security knowledge and someday do what you are doing and volunteer in a forum like this one. I know it will take a lot of time and effort and I would like to get started on it.
Do you have any advice on where to start?
If you know of good websites, forums or other free online sources I would appreciate it. I do not have money to buy expensive books but if you know any "must haves" maybe I can get the money up for them someday .
I am still paying for college from years ago and cannot afford any more college at this time but if you know of any free or very low cost online courses that would also be helpful.
I really appreciate the help you have given me. I think you and the others who do this deserve a round of applause :clap:
Hi,
No problem at all with the questions. The TeaTimer may have alerted you to a registry change, although I think Spybot is a great program I am not a fan of the Teatimer. I use Spybot myself but have the TT disabled, I like Spyware Blaster as it does the same thing but not to much in your face.
In Spybot , you can go to Advanced Mode > Tools > Hosts File and you can add Spybots Hosts file to the current hosts file and it will add 1000s of bad sites that will be blocked . If it gives you issues you can always remove it.
I started out when Win 98 came out and have built all my own systems , probably a dozen or more for myself friends and family. Then I got more interested in malware about 8 years ago. Here is a site I cut my teeth on when building systems, it was my bible, go and join , its free and a wealth of info
http://forums.hardwareguys.com/ikonboard.cgi
Most of us helpers help in many other forums, at WhattheTech I am a classroom teacher, we have an actual classroom where you can learn to remove malware. It to is free but you will need a certain amount of commitment. It has a Freshman, Junior and Senior class and once you graduate from Senior we let you reply to live logs but your fix has to be checked by a teacher before you can post, then at that point it all depends on you and how well your doing, I went through this same classroom about 8 years ago when it was Tom Coyote, it was one of the first online Malware Removal Classrooms
http://forums.whatthetech.com/index.php?showtopic=80368
Take Care,
Ken :)
Again thank you for all your help and the advice I will start reading the sites you gave me.
Maybe I will have you as a teacher at WhattheTech :2thumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.