View Full Version : Click giftload help request
Hello,
A few days ago I began experiencing browser redirects and computer running slower than usual. I ran Search & Destroy and discovered a recurring click giftload issue. I attempted to eradicate it on my own scanning with Spybot Search and Destroy, Malwarebytes, and McAfee. None of these were successfull.
I also attempted to run TDDSKiller but it would error after 80% loaded.
After doing further research I discovered this excellent forum, and after reading several threads determined this problem was beyond my capacity to repair on my own.
I proceeded as follows:
1. I restored my computer to the earliest available restore point.
2. Re-ran Spybot Search and Destory to try and supress click giftload during this session.
3. Re-read the "Before you post" sticky
4. Backed up my registry using ERUNT
5. Ran DDS (Log to follow below)
6. Wrote this help request
I am seeking assistance in removing this nasty problem, and if possible a review and advice on how to close any security holes my computer may have. I would also be extremely apreciative of any additional recomendations for computer cleanup to restore it to good speed and health and remove anything unnecessary lingering on the computer.
Thank you for any time and assistance you can offer.
***I made one edit to the DDS report: replaced user name wherever applicable with with ZZZZZ***
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ZZZZZ at 14:17:24.52 on Tue 04/19/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2034 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.ru/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102184633.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-31 386840]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-2 11264]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-31 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-31 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-31 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-31 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-31 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-31 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-31 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-31 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S2 0038861303013094mcinstcleanup;McAfee Application Installer Cleanup (0038861303013094);c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-31 84264]
.
=============== Created Last 30 ================
.
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-17 03:46:01 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes
2011-04-17 03:45:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 03:45:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-16 21:31:50 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes(2)
2011-04-16 20:37:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-16 20:37:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-16 02:22:05 114688 --sha-r- c:\windows\system32\hpzsnt09Q.dll
2011-04-07 15:11:22 -------- d-----w- c:\program files\iTunes
2011-04-06 00:26:48 -------- d-----w- C:\e
2011-04-06 00:26:46 -------- d-----w- C:\Data
2011-03-30 17:15:45 -------- d-----w- c:\program files\Sports Mogul
.
==================== Find3M ====================
.
2011-03-23 18:15:57 857 --sha-w- c:\windows\system32\mmf.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75FRA0 rev.77.07W77 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC6D4E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac737d0]; MOV EAX, [0x8ac7384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8AC8FAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8AC21240]
\Driver\atapi[0x8ACCFF38] -> IRP_MJ_CREATE -> 0x8AC6D4E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC6D332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 14:20:15.94 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your infected with a ROOTKIT :sad:
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
Hi Ken,
As per your instructions I downloaded tdsskiller.exe to my desktop. However I am still encountering the problem I had before. When I launch tdsskiller.exe it initializes to 80%, hangs, and then I receive an error message that it has encountered a problem and needs to close.
I rebooted and tried to run tdsskiller in safe mode but got the same result.
I restarted again in normal mode and re-ran Spybot-Search and Destroy.
I await your further instructions. I will not be using the computer for any purpose without your instructions.
Thank you so much for your continued assistance.
Hi,
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the "Scan" button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
Hi Ken,
Here is the requested log from aswMBR.
One edit: computer name changed to "ZZZZZ"
swMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-22 13:56:54
-----------------------------
13:56:54.203 OS Version: Windows 5.1.2600 Service Pack 3
13:56:54.203 Number of processors: 2 586 0x209
13:56:54.203 ComputerName: ZZZZZ UserName:
13:56:54.812 Initialize success
13:57:08.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:57:08.859 Disk 0 Vendor: WDC_WD800BB-75FRA0 77.07W77 Size: 76293MB BusType: 3
13:57:08.859 Device \Driver\atapi -> DriverStartIo 8ac64332
13:57:08.859 Disk 0 MBR read error
13:57:08.875 Disk 0 MBR scan
13:57:08.875 MBR BIOS signature not found 0
13:57:08.875 Disk 0 scanning sectors +156232125
13:57:08.875 Disk 0 scanning C:\WINDOWS\system32\drivers
13:57:25.093 Service scanning
13:57:28.156 Disk 0 trace - called modules:
13:57:28.156 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89a05c30]<<
13:57:28.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aca0ab8]
13:57:28.171 Scan finished successfully
Hi,
This is where we are at, the bad guys read these forums also looking at what were doing to try to bork our fixes, evidently they have prevented TDSSKiller from running. There have been numerous threads in the past few days that are having the same problems you are. aswMBR wont fix this problem either, it looks like your MASTER BOOT RECORD is infected but we need to find out for sure. When you ran aswMBR and saved the file, there should also be an other file named MBR.dat, I need you to right click on it and save it as a Zipped file to your desktop and then upload it to this site to confirm your MBR is infected
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again
Look on your desktop for MBR.zip
If the site is busy you can try this one
http://virusscan.jotti.org/en
Here are the results of the MBR.zip virus total scan.
AhnLab-V3 2011.04.23.00 2011.04.22 -
AntiVir 7.11.6.251 2011.04.22 -
Antiy-AVL 2.0.3.7 2011.04.22 -
Avast 4.8.1351.0 2011.04.22 -
Avast5 5.0.677.0 2011.04.22 -
AVG 10.0.0.1190 2011.04.22 -
BitDefender 7.2 2011.04.22 -
CAT-QuickHeal 11.00 2011.04.21 -
ClamAV 0.97.0.0 2011.04.21 -
Commtouch 5.3.2.6 2011.04.23 -
Comodo 8437 2011.04.22 -
DrWeb 5.0.2.03300 2011.04.22 -
Emsisoft 5.1.0.5 2011.04.22 -
eSafe 7.0.17.0 2011.04.22 -
eTrust-Vet 36.1.8286 2011.04.22 -
F-Prot 4.6.2.117 2011.04.22 -
F-Secure 9.0.16440.0 2011.04.23 -
Fortinet 4.2.257.0 2011.04.22 -
GData 22 2011.04.22 -
Ikarus T3.1.1.103.0 2011.04.22 -
Jiangmin 13.0.900 2011.04.22 -
K7AntiVirus 9.97.4451 2011.04.21 -
Kaspersky 7.0.0.125 2011.04.22 -
McAfee 5.400.0.1158 2011.04.22 -
McAfee-GW-Edition 2010.1D 2011.04.22 -
Microsoft 1.6802 2011.04.23 -
NOD32 6064 2011.04.22 -
Norman 6.07.07 2011.04.22 -
Panda 10.0.3.5 2011.04.22 -
PCTools 7.0.3.5 2011.04.21 -
Prevx 3.0 2011.04.23 -
Rising 23.54.04.06 2011.04.22 -
Sophos 4.64.0 2011.04.23 -
SUPERAntiSpyware 4.40.0.1006 2011.04.22 -
Symantec 20101.3.2.89 2011.04.22 -
TheHacker 6.7.0.1.180 2011.04.22 -
TrendMicro 9.200.0.1012 2011.04.22 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.23 -
VBA32 3.12.16.0 2011.04.22 -
VIPRE 9090 2011.04.22 -
ViRobot 2011.4.22.4424 2011.04.22 -
VirusBuster 13.6.317.0 2011.04.22 -
Additional informationShow all
MD5 : 4a29867afb2ca45291965d7b39bd96c9
SHA1 : ff3fac8df2430f78d2666c820caf5cd4f8d9e303
SHA256: 50ad343834f222616998214d1e2bc232b29b9f936821d5bb4bb2aa5eb8e62f2c
ssdeep: 3:vhjO9/n/i/yn3b21rnxim9/n/i//llPlKS/+lMt:5jOCaCtnxpC1l/+lE
File size : 120 bytes
First seen: 2011-04-22 22:05:41
Last seen : 2011-04-22 22:09:27
TrID:
ZIP compressed archive (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ExifTool:
file metadata
FileSize: 120 bytes
FileType: ZIP
MIMEType: application/zip
ZipBitFlag: 0
ZipCRC: 0xb2aa7578
ZipCompressedSize: 8
ZipCompression: Deflated
ZipFileName: MBR.dat
ZipModifyDate: 2011:04:22 13:58:01
ZipRequiredVersion: 20
ZipUncompressedSize: 512
Hmmm strange.
Unless you know that you have a Recovery Console be sure to install this one, we may need it
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hi Ken,
Hope your weekend was well. I had some unexpected difficulty proceeding with the scan per your instructions. The details are as follows...
I read and re-read all the instructions and prepared to run the combo fix scan. I disabled McAfee ( the provided instructions are out of date for McAfee's newer interface). The computer was running extremely slow.
Started Combofix, dowloaded from the link you provided, and knew something was wrong right away. It began by telling me Mcafee was not disabled, though I checked several times to verify that it was. I then recieved an error message saying that combofix might have been patched by a virus and should not be used. Further attempts to run it resulted in it unexpectedly quitting.
Additionally, I checked task manager and saw a lot of new processes that should not have been there (firefox, iexplorer, etc -though no additional windows were open). I disconected my dsl cable, restored mcafee, deleted combofix off of my desktop, and rebooted. Computer stalled during the shutdown and I was forced to hard reset. At this point I was terrified my computer was dead.
The computer did reboot very very slowly. I kept the dsl cable disconnected. I then remembered that I had made a disk with various repair/recovery programs on a completely unconnected computer about a week ago when the problems began anticipating it might be usefull if I could not connect to the internet. I located the copy of combofix that I had on the disk and moved it to my desktop, disabled McAfee, and tried to run it.
Combofix loaded sucessfully this time, but gave a message saying it was out of date and would run with limited functionality. I figured it would be better than nothing so I proceeded. This generated " Log1 " which I have attached. I then rebooted my computer.
This time the computer rebooted very quickly and seemed to run about as fast as I can recently remember. However, when I ran Spybot again I could see click giftload was still there. I then restored my internet connection, and attempted to use your instructions again. I downloaded combofix from your link, disabled Mcafee, and ran your version of combofix.
This time it appeared to run smoothly and generated "Log 2" which I have also attached. I was surprised that the log said McAfee firewall was on, even though I checked and double checked that it was disabled.
I also suddenly remembered that around the time all the problems started during a reboot I saw some kind of message flash while windows was loading up. The only thing I was able to catch was something about a partition. This made me check disk management to see if perhaps there was a hidden partition or something. To my surprise disk management would not loacate even my local C:\ drive and is completely empty! :confused: I tried refresh and rescan, but no luck. I hope this helps in diagnosing the problem.
Hopefully I did not do any further damage to my computer and we can continue to resolve this problem. I thank you and appreciate your assistance very much, and await your further instructions.
As per ususal I made log edits to replace "user name" with "ZZZZZ".
Your Master Boot Record is infected with a rootkit , this is how we need to fix it
Earlier on ComboFix installed the Recovery Console. We're going to use that now.
Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RC_BootMenu.gif
When you get to the above screen, take note of the number that references your operating system.
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_A.png
If it's '1' like the picture above, type 1 and press Enter
It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_Fixmbr.png
Next type FIXMBR
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_FixmbrB.png
If it asks if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.
I have done as you advised.
I wanted to bring your attention quickly to another issue, I don't think it has anything to do with the rootkit, but I thought I would check with you to confirm. On startup and reboot I have been recieving a warning that "System Battery Voltage is Low" I assumed I just needed to replace the battery, but I wanted to bring it up to you in case it has relevance to the issue we are trying to resolve.
Thank you for your reply, awaiting further instruction.
First lets worry about the Rootkit, run DDS and post a new log.
How are things running, any redirects or unwanted pop up windows ? Computer booted up OK ?
Is this a laptop
Since running recovery console I have not experienced popups, redirects, etc and things seem to be running smoother than before. I only browsed briefly to test and did a few google searches after you asked your question. I did not use any other programs as I did not want to interfere with the process you are laying out. My local C:\ drive is now being recognized by disk manager. Things seem to be running somewhat faster than before and computer booted fine as far as I can tell. This is a desktop computer.
I ran DDS. The logs are below and attached with my standard "ZZZZZ" edits.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ZZZZZ at 12:28:30.92 on Mon 04/25/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2117 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\nvsvc32.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.ru/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101102184633.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2499216C-4BA5-11D5-BD9C-000103C116D5} - {2499216C-4BA5-11D5-BD9C-000103C116D5} - c:\program files\yahoo!\common\ylogin.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-31 386840]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-8-2 11264]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-31 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-5-3 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-31 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-31 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-31 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-31 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-31 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-31 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-31 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-31 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S2 0038861303013094mcinstcleanup;McAfee Application Installer Cleanup (0038861303013094);c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003886~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-31 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-31 84264]
.
=============== Created Last 30 ================
.
2011-04-25 03:38:15 -------- d-sha-r- C:\cmdcons
2011-04-25 03:07:12 98816 ----a-w- c:\windows\sed.exe
2011-04-25 03:07:12 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 03:07:12 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 03:07:12 161792 ----a-w- c:\windows\SWREG.exe
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-17 13:41:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-17 03:46:01 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes
2011-04-17 03:45:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 03:45:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-16 21:31:50 -------- d-----w- c:\docume~1\ZZZZZ&~1\applic~1\Malwarebytes(2)
2011-04-16 20:37:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-16 20:37:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-16 02:22:05 114688 --sha-r- c:\windows\system32\hpzsnt09Q.dll
2011-04-07 15:11:22 -------- d-----w- c:\program files\iTunes
2011-04-06 00:26:48 -------- d-----w- C:\e
2011-03-30 17:15:45 -------- d-----w- c:\program files\Sports Mogul
.
==================== Find3M ====================
.
2011-03-23 18:15:57 857 --sha-w- c:\windows\system32\mmf.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 12:30:36.53 ===============
Looks like the rootkit is gone, sometimes these things bring there friends along so let run a few scans and check
Are you still getting the Click.giftfind pop up ?
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Hi Ken,
Im so glad to see that the rootkit is gone. I ran Spybot, did a reboot, and then ran Spybot again. Spybot did not detect any problems either time. :)
I ran the scans you advised and am attaching log files.
Standard ZZZZZ edits applied.
Lets copy and paste the logs into this thread in lew of attaching them, its easier for us to analyze
OTL logfile created on: 4/26/2011 2:57:05 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\ZZZZZ\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 12.86 Gb Free Space | 17.27% Space Free | Partition Type: NTFS
Computer Name: ZZZZZ | User Name: ZZZZZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SYSTEM32\UAService7.exe (Sony DADC Austria AG.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe (American Power Conversion Corporation)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (0038861303013094mcinstcleanup) McAfee Application Installer Cleanup (0038861303013094) -- File not found
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (UserAccess7) SecuROM User Access Service (V7) -- C:\WINDOWS\SYSTEM32\UAService7.exe (Sony DADC Austria AG.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\hpzipm12.exe (HP)
SRV - (APC UPS Service) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel(R) Corporation)
========== Driver Services (SafeList) ==========
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\SYSTEM32\DRIVERS\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys (McAfee, Inc.)
DRV - (MPE) -- C:\WINDOWS\SYSTEM32\DRIVERS\mpe.sys (Microsoft Corporation)
DRV - (mod7700) -- C:\WINDOWS\SYSTEM32\DRIVERS\dvb7700all.sys (DiBcom)
DRV - (ezplay) -- C:\WINDOWS\SYSTEM32\DRIVERS\ezplay.sys (VSO Software)
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (WmFilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys (Logitech Inc.)
DRV - (WmBEnum) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys (Logitech Inc.)
DRV - (WmVirHid) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys (Logitech Inc.)
DRV - (WmXlCore) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys (Logitech Inc.)
DRV - (iAimFP4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel(R) Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel(R) Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel(R) Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel(R) Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel(R) Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel(R) Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel(R) Corporation)
DRV - (i81x) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel(R) Corporation)
DRV - (prohlp02) -- C:\WINDOWS\System32\drivers\prohlp02.sys (Protection Technology)
DRV - (prodrv06) -- C:\WINDOWS\System32\drivers\prodrv06.sys (Protection Technology)
DRV - (pfc) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.)
DRV - (sfhlp01) -- C:\WINDOWS\System32\drivers\sfhlp01.sys (Protection Technology)
DRV - (BCMModem) -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys (Broadcom Corporation)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (Asapi) -- C:\WINDOWS\System32\drivers\asapi.sys (VOB Computersysteme GmbH)
DRV - (EL90XBC) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/04/24 23:22:33 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2011/04/25 00:10:08 | 000,000,296 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.8minutedating.com
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 coo0lnet.net
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101102184633.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/26 14:55:34 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe
[2011/04/26 14:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/04/26 13:57:00 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/26 13:22:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/26 13:21:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\ZZZZZ\Desktop\ATF-Cleaner.exe
[2011/04/25 00:08:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/04/24 23:28:39 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/04/24 22:38:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/24 22:07:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/24 22:07:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/24 22:07:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/24 22:07:12 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/24 21:57:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/22 13:56:31 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ZZZZZ\Desktop\aswMBR.exe
[2011/04/19 14:14:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/19 14:11:18 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/19 14:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/19 14:10:07 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\ZZZZZ\Desktop\erunt-setup.exe
[2011/04/17 09:17:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/16 22:46:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Application Data\Malwarebytes
[2011/04/16 22:45:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/16 22:45:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/16 21:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/16 19:38:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/04/16 16:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Application Data\Malwarebytes(2)
[2011/04/16 15:37:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/16 15:37:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/15 21:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/15 21:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/15 21:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/12 11:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/04/07 10:13:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/04/07 10:11:22 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/04/05 19:26:48 | 000,000,000 | ---D | C] -- C:\e
[2011/03/30 16:56:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Desktop\BBM12
[2011/03/30 12:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sports Mogul
[2011/03/30 12:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\Sports Mogul
[2006/11/17 17:47:56 | 000,094,080 | ---- | C] (VSO Software) -- C:\Documents and Settings\ZZZZZ\Application Data\ezplay.sys
[2006/11/17 17:47:28 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.sys
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/04/26 14:55:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe
[2011/04/26 14:16:54 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/04/26 14:15:10 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/26 14:14:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/04/26 14:14:11 | 2683,375,616 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/26 13:57:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/26 13:57:13 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/26 13:21:47 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\ZZZZZ\Desktop\ATF-Cleaner.exe
[2011/04/25 12:45:57 | 000,005,290 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach2.zip
[2011/04/25 00:24:02 | 000,005,639 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\log2.zip
[2011/04/25 00:10:08 | 000,000,296 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2011/04/24 23:27:37 | 004,328,852 | R--- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\ComboFix.exe
[2011/04/24 23:02:01 | 000,005,836 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\log1.zip
[2011/04/24 22:38:23 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2011/04/22 17:11:31 | 000,000,120 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.zip
[2011/04/22 13:58:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.dat
[2011/04/22 13:56:35 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ZZZZZ\Desktop\aswMBR.exe
[2011/04/22 11:14:00 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\ZZZZZ\Desktop\Tdsskiller.exe.exe
[2011/04/19 14:26:17 | 000,005,110 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach.zip
[2011/04/19 14:16:00 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
[2011/04/19 14:11:19 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\ERUNT.lnk
[2011/04/19 14:10:09 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\ZZZZZ\Desktop\erunt-setup.exe
[2011/04/19 14:05:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/16 14:25:43 | 000,013,560 | -HS- | M] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 14:25:43 | 000,013,560 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 14:18:00 | 000,432,448 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20110416-220544.backup
[2011/04/15 23:29:46 | 000,001,876 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\OANDA fxTrade.lnk
[2011/04/15 09:51:04 | 000,294,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 07:53:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/15 07:49:19 | 000,448,530 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/04/15 07:49:19 | 000,074,932 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/04/13 11:44:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/07 10:13:04 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/07 09:57:40 | 000,001,696 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/04/05 19:26:51 | 000,000,240 | ---- | M] () -- C:\srch_site_1.gif
[2011/04/05 19:26:50 | 000,000,380 | ---- | M] () -- C:\edu.bmp
[2011/04/05 19:26:50 | 000,000,304 | ---- | M] () -- C:\dir.bmp
[2011/04/05 19:26:50 | 000,000,284 | ---- | M] () -- C:\srch_map_1.gif
[2011/04/05 19:26:50 | 000,000,279 | ---- | M] () -- C:\hj_1.gif
[2011/04/05 19:26:50 | 000,000,277 | ---- | M] () -- C:\mov_1.gif
[2011/04/05 19:26:50 | 000,000,274 | ---- | M] () -- C:\trav_1.gif
[2011/04/05 19:26:50 | 000,000,273 | ---- | M] () -- C:\srch_stk_1.gif
[2011/04/05 19:26:50 | 000,000,268 | ---- | M] () -- C:\ab_1.gif
[2011/04/05 19:26:50 | 000,000,265 | ---- | M] () -- C:\srch_ans_1.gif
[2011/04/05 19:26:50 | 000,000,138 | ---- | M] () -- C:\flk2.gif
[2011/04/05 19:26:50 | 000,000,121 | ---- | M] () -- C:\srch_nws_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | M] () -- C:\srch_aud_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | M] () -- C:\del_1.gif
[2011/04/05 19:26:49 | 000,000,235 | ---- | M] () -- C:\srch_1.gif
[2011/04/05 19:26:49 | 000,000,131 | ---- | M] () -- C:\srch_loc_1.gif
[2011/04/05 19:26:49 | 000,000,123 | ---- | M] () -- C:\srch_sh_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | M] () -- C:\srch_vid_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | M] () -- C:\srch_img_1.gif
[2011/04/04 19:27:01 | 000,000,155 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/30 12:24:54 | 000,000,776 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Shortcut to BB2K12.lnk
[2011/03/30 12:21:11 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\MogFame.dat
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/04/26 13:57:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 12:45:57 | 000,005,290 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach2.zip
[2011/04/25 00:24:02 | 000,005,639 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\log2.zip
[2011/04/24 23:27:30 | 004,328,852 | R--- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\ComboFix.exe
[2011/04/24 23:02:01 | 000,005,836 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\log1.zip
[2011/04/24 22:38:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/24 22:38:18 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/24 22:07:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/24 22:07:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/24 22:07:12 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/24 22:07:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/24 22:07:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/22 17:11:31 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.zip
[2011/04/22 13:58:00 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.dat
[2011/04/22 11:27:23 | 2683,375,616 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/19 14:26:17 | 000,005,110 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach.zip
[2011/04/19 14:15:59 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
[2011/04/19 14:11:19 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\ERUNT.lnk
[2011/04/16 13:42:34 | 000,013,560 | -HS- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 13:42:34 | 000,013,560 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/15 23:29:46 | 000,001,876 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\OANDA fxTrade.lnk
[2011/04/15 21:51:25 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/07 10:13:04 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/05 19:26:51 | 000,000,240 | ---- | C] () -- C:\srch_site_1.gif
[2011/04/05 19:26:50 | 000,000,380 | ---- | C] () -- C:\edu.bmp
[2011/04/05 19:26:50 | 000,000,304 | ---- | C] () -- C:\dir.bmp
[2011/04/05 19:26:50 | 000,000,284 | ---- | C] () -- C:\srch_map_1.gif
[2011/04/05 19:26:50 | 000,000,279 | ---- | C] () -- C:\hj_1.gif
[2011/04/05 19:26:50 | 000,000,277 | ---- | C] () -- C:\mov_1.gif
[2011/04/05 19:26:50 | 000,000,274 | ---- | C] () -- C:\trav_1.gif
[2011/04/05 19:26:50 | 000,000,273 | ---- | C] () -- C:\srch_stk_1.gif
[2011/04/05 19:26:50 | 000,000,268 | ---- | C] () -- C:\ab_1.gif
[2011/04/05 19:26:50 | 000,000,265 | ---- | C] () -- C:\srch_ans_1.gif
[2011/04/05 19:26:50 | 000,000,138 | ---- | C] () -- C:\flk2.gif
[2011/04/05 19:26:50 | 000,000,121 | ---- | C] () -- C:\srch_nws_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | C] () -- C:\srch_aud_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | C] () -- C:\del_1.gif
[2011/04/05 19:26:49 | 000,000,235 | ---- | C] () -- C:\srch_1.gif
[2011/04/05 19:26:49 | 000,000,131 | ---- | C] () -- C:\srch_loc_1.gif
[2011/04/05 19:26:49 | 000,000,123 | ---- | C] () -- C:\srch_sh_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | C] () -- C:\srch_vid_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | C] () -- C:\srch_img_1.gif
[2011/03/31 17:08:00 | 000,001,791 | -HS- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\AlbumArtSmall.jpg
[2011/03/30 12:24:54 | 000,000,776 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Shortcut to BB2K12.lnk
[2011/03/30 12:21:11 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\MogFame.dat
[2011/03/10 12:28:11 | 000,000,857 | -HS- | C] () -- C:\WINDOWS\System32\mmf.sys
[2009/11/11 17:26:18 | 000,067,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/11/11 16:43:53 | 000,003,625 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp m4a Codec.dat
[2009/11/11 16:42:00 | 000,003,400 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
[2009/11/11 11:31:44 | 000,001,844 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
[2009/11/11 11:31:42 | 000,001,224 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
[2009/11/11 11:31:40 | 000,002,228 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
[2009/11/11 11:31:38 | 000,011,473 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
[2009/11/11 11:31:26 | 000,001,206 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Dalet Codec.dat
[2009/11/11 11:31:24 | 000,003,008 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat
[2009/11/11 11:31:17 | 000,003,030 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
[2009/11/11 11:31:09 | 000,003,152 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
[2009/11/11 11:31:02 | 000,003,107 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
[2009/11/11 11:30:55 | 000,002,951 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp FLAC Codec.dat
[2009/11/11 11:30:48 | 000,002,843 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
[2009/11/11 11:26:38 | 000,008,457 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp DSP Effects.dat
[2009/11/11 11:26:31 | 000,013,281 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Music Converter.dat
[2008/05/25 16:52:37 | 000,201,488 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2008/05/25 16:52:37 | 000,144,144 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2008/05/25 16:52:37 | 000,141,584 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2008/05/25 16:52:37 | 000,063,248 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2008/05/25 16:52:35 | 000,033,040 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2008/05/17 17:03:22 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/05/17 17:03:21 | 000,002,550 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/11/28 13:20:20 | 000,000,706 | ---- | C] () -- C:\WINDOWS\program.ini
[2007/11/28 12:47:08 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\SySVTA.dat
[2007/11/28 12:46:52 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\VCEDIT.DLL
[2007/11/28 12:46:52 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2007/03/20 23:42:15 | 000,000,155 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/17 17:47:56 | 000,007,172 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\ezplay.cat
[2006/11/17 17:47:56 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\KRNWNVYP.inf
[2006/11/17 17:47:56 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\KRNWNVYP.ini
[2006/11/17 17:47:28 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\ezpinst.exe
[2006/11/17 17:47:28 | 000,007,176 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.cat
[2006/11/17 17:47:28 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.inf
[2006/11/12 01:04:23 | 000,000,039 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\EV Nova License.lcs
[2006/11/12 01:04:20 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\EV Nova Prefs.prf
[2006/08/20 22:22:26 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2006/06/12 20:03:18 | 000,001,350 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/03/04 14:10:42 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/02/25 11:33:44 | 000,000,080 | RHS- | C] () -- C:\WINDOWS\System32\44EFA58560.dll
[2006/02/04 18:47:50 | 000,000,013 | ---- | C] () -- C:\WINDOWS\System32\MSVCTSCP.DLL
[2005/12/27 18:34:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/12/10 04:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 04:06:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/12/10 04:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 04:06:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/12/10 04:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 04:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 04:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 04:06:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/12/10 04:06:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/12/10 04:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 04:06:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/09/12 17:30:49 | 000,000,708 | ---- | C] () -- C:\WINDOWS\System32\dxamph3.dll
[2005/09/03 16:38:14 | 000,000,074 | ---- | C] () -- C:\WINDOWS\BBW_INFO.INI
[2005/07/09 12:44:00 | 000,002,654 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/12 17:18:32 | 006,622,072 | R--- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2005/05/04 17:45:49 | 000,000,253 | ---- | C] () -- C:\WINDOWS\WSHORTEN.INI
[2005/01/27 19:21:04 | 000,000,088 | ---- | C] () -- C:\WINDOWS\cspdbmt.INI
[2004/12/29 21:31:09 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2004/12/29 21:31:09 | 000,029,134 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2004/12/15 19:52:50 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2004/12/14 01:03:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/09/05 22:06:51 | 000,000,504 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/08/23 19:38:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/02 18:39:06 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\IWUninstall.exe
[2004/07/22 19:13:03 | 000,000,151 | ---- | C] () -- C:\WINDOWS\ae.INI
[2004/05/31 23:03:39 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\fusioncache.dat
[2004/05/30 21:10:53 | 000,014,870 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/02/10 22:16:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/24 14:33:40 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/01/23 23:25:02 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\mcini.ini
[2004/01/23 19:24:35 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2004/01/18 20:46:05 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/01/14 21:03:10 | 000,001,134 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/01/14 00:27:00 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\PFP110JPR.{PB
[2004/01/14 00:27:00 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\PFP110JCM.{PB
[2004/01/13 23:48:47 | 000,000,291 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2004/01/08 23:33:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/08 23:30:43 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/01/08 23:26:47 | 000,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/01/08 23:24:00 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/01/08 23:22:55 | 000,000,202 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/01/08 23:18:55 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/01/08 23:05:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/01/08 23:04:10 | 000,448,530 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/01/08 23:04:10 | 000,074,932 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/01/08 23:03:59 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/08 22:51:04 | 000,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/01/05 02:30:18 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/09/16 23:52:30 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\VORBIS.DLL
[2003/09/16 23:43:32 | 000,070,144 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 23:41:44 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\OGG.DLL
[2003/08/13 23:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2002/09/03 10:05:08 | 000,294,552 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 09:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 09:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 09:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[1999/03/13 19:00:56 | 000,000,136 | ---- | C] () -- C:\WINDOWS\System32\mstraps.dll
[1998/10/24 01:00:00 | 000,000,700 | -HS- | C] () -- C:\WINDOWS\xv1mdrv691928.drv
[1998/10/24 00:00:00 | 000,000,700 | -HS- | C] () -- C:\WINDOWS\System32\xv1mdrv601928.sys
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
========== LOP Check ==========
[2009/03/16 19:17:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus
[2008/06/27 21:39:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2005/09/17 07:11:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\element5
[2005/01/03 12:02:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Keyhole
[2004/01/14 00:20:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Links 2003
[2008/05/25 16:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2007/02/20 22:27:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/28 12:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/28 12:03:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/28 11:14:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/20 20:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2004/02/08 21:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Aim
[2010/09/02 17:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\AnvSoft
[2005/03/18 19:16:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\CopyToDvd
[2009/11/11 14:27:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\dBpoweramp
[2010/09/03 14:53:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\EditPlus 3
[2004/01/18 20:38:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Leadertech
[2010/09/03 14:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Mael
[2006/10/22 12:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Southwest Airlines
[2004/08/02 18:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Steinberg
[2011/01/02 11:58:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\uTorrent
[2007/01/27 22:16:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Viewpoint
[2006/11/17 18:59:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ZZZZZ\Application Data\Vso
[2009/08/03 13:20:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
========== Purity Check ==========
< End of report >
How are things running now, any redirects or unwanted popup windows ?
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
:Services
:Reg
:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Hi Ken,
First, my apologies for not posting the log in my reply. I assumed wrong that it would be easier to read in .txt format.
I am encouraged by the fact that I have not had experienced any pop ups or redirects yet.
Here are the logs you requested. Edits applied.
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\ZZZZZ\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\ZZZZZ\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
C:\Documents and Settings\ZZZZZ\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\ZZZZZ\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\ZZZZZ\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\ZZZZZ\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
User: Administrator.ZZZZZ
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: DELL
User: ZZZZZ
->Temp folder emptied: 81920 bytes
->Temporary Internet Files folder emptied: 1466552 bytes
->Java cache emptied: 82946328 bytes
->Flash cache emptied: 843248 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 5848 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 10075 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 81.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 04272011_104405
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
And the second log....
TL logfile created on: 4/27/2011 10:51:32 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\ZZZZZ\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 12.93 Gb Free Space | 17.37% Space Free | Partition Type: NTFS
Computer Name: ZZZZZ | User Name: ZZZZZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SYSTEM32\UAService7.exe (Sony DADC Austria AG.)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe (American Power Conversion Corporation)
PRC - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (0038861303013094mcinstcleanup) McAfee Application Installer Cleanup (0038861303013094) -- File not found
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (UserAccess7) SecuROM User Access Service (V7) -- C:\WINDOWS\SYSTEM32\UAService7.exe (Sony DADC Austria AG.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\hpzipm12.exe (HP)
SRV - (APC UPS Service) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
SRV - (NetSvc) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe (Intel(R) Corporation)
========== Driver Services (SafeList) ==========
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\SYSTEM32\DRIVERS\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\SYSTEM32\DRIVERS\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys (McAfee, Inc.)
DRV - (MPE) -- C:\WINDOWS\SYSTEM32\DRIVERS\mpe.sys (Microsoft Corporation)
DRV - (mod7700) -- C:\WINDOWS\SYSTEM32\DRIVERS\dvb7700all.sys (DiBcom)
DRV - (ezplay) -- C:\WINDOWS\SYSTEM32\DRIVERS\ezplay.sys (VSO Software)
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology)
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology)
DRV - (WmFilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmFilter.sys (Logitech Inc.)
DRV - (WmBEnum) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmBEnum.sys (Logitech Inc.)
DRV - (WmVirHid) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmVirHid.sys (Logitech Inc.)
DRV - (WmXlCore) -- C:\WINDOWS\SYSTEM32\DRIVERS\WmXlCore.sys (Logitech Inc.)
DRV - (iAimFP4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel(R) Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel(R) Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel(R) Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel(R) Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel(R) Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel(R) Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel(R) Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel(R) Corporation)
DRV - (i81x) -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel(R) Corporation)
DRV - (prohlp02) -- C:\WINDOWS\System32\drivers\prohlp02.sys (Protection Technology)
DRV - (prodrv06) -- C:\WINDOWS\System32\drivers\prodrv06.sys (Protection Technology)
DRV - (pfc) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.)
DRV - (sfhlp01) -- C:\WINDOWS\System32\drivers\sfhlp01.sys (Protection Technology)
DRV - (BCMModem) -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys (Broadcom Corporation)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (Asapi) -- C:\WINDOWS\System32\drivers\asapi.sys (VOB Computersysteme GmbH)
DRV - (EL90XBC) -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/04/24 23:22:33 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2011/04/27 10:44:13 | 000,000,098 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101102184633.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (Yahoo! Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\.DEFAULT\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3172830581-756655501-2312823406-1007\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 09:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/27 10:48:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/04/27 10:44:05 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/26 14:55:34 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe
[2011/04/26 13:57:00 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/26 13:22:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/26 13:21:45 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\ZZZZZ\Desktop\ATF-Cleaner.exe
[2011/04/25 00:08:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/04/24 23:28:39 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/04/24 22:38:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/24 22:07:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/24 22:07:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/24 22:07:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/24 22:07:12 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/24 21:57:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/22 13:56:31 | 000,566,272 | ---- | C] (AVAST Software) -- C:\Documents and Settings\ZZZZZ\Desktop\aswMBR.exe
[2011/04/19 14:14:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/19 14:11:18 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/19 14:11:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/19 14:10:07 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\ZZZZZ\Desktop\erunt-setup.exe
[2011/04/17 09:17:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/16 22:46:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Application Data\Malwarebytes
[2011/04/16 22:45:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/16 22:45:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/16 21:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/16 19:38:34 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2011/04/16 16:31:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Application Data\Malwarebytes(2)
[2011/04/16 15:37:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/16 15:37:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/15 21:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/04/15 21:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/15 21:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/12 11:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/04/07 10:13:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/04/07 10:11:22 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/04/05 19:26:48 | 000,000,000 | ---D | C] -- C:\e
[2011/03/30 16:56:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ZZZZZ\Desktop\BBM12
[2011/03/30 12:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sports Mogul
[2011/03/30 12:15:45 | 000,000,000 | ---D | C] -- C:\Program Files\Sports Mogul
[2006/11/17 17:47:56 | 000,094,080 | ---- | C] (VSO Software) -- C:\Documents and Settings\ZZZZZ\Application Data\ezplay.sys
[2006/11/17 17:47:28 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.sys
========== Files - Modified Within 30 Days ==========
[2011/04/27 10:48:46 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/04/27 10:48:36 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/04/27 10:47:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/04/27 10:47:54 | 2683,375,616 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/27 10:44:13 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\Hosts
[2011/04/26 15:21:54 | 000,009,620 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Extras.zip
[2011/04/26 15:21:46 | 000,012,618 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.zip
[2011/04/26 15:21:41 | 000,000,594 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-log-2011-04-26 (14-11-54).zip
[2011/04/26 14:55:35 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.exe
[2011/04/26 13:57:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/26 13:57:13 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-setup-1.50.1.1100.exe
[2011/04/26 13:21:47 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\ZZZZZ\Desktop\ATF-Cleaner.exe
[2011/04/25 12:45:57 | 000,005,290 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach2.zip
[2011/04/25 00:24:02 | 000,005,639 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\log2.zip
[2011/04/24 23:27:37 | 004,328,852 | R--- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\ComboFix.exe
[2011/04/24 23:02:01 | 000,005,836 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\log1.zip
[2011/04/24 22:38:23 | 000,000,327 | RHS- | M] () -- C:\BOOT.INI
[2011/04/22 17:11:31 | 000,000,120 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.zip
[2011/04/22 13:58:00 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.dat
[2011/04/22 13:56:35 | 000,566,272 | ---- | M] (AVAST Software) -- C:\Documents and Settings\ZZZZZ\Desktop\aswMBR.exe
[2011/04/22 11:14:00 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\ZZZZZ\Desktop\Tdsskiller.exe.exe
[2011/04/19 14:26:17 | 000,005,110 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach.zip
[2011/04/19 14:16:00 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
[2011/04/19 14:11:19 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\ERUNT.lnk
[2011/04/19 14:10:09 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\ZZZZZ\Desktop\erunt-setup.exe
[2011/04/19 14:05:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/16 14:25:43 | 000,013,560 | -HS- | M] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 14:25:43 | 000,013,560 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 14:18:00 | 000,432,448 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20110416-220544.backup
[2011/04/15 23:29:46 | 000,001,876 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\OANDA fxTrade.lnk
[2011/04/15 09:51:04 | 000,294,552 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/15 07:53:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/15 07:49:19 | 000,448,530 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/04/15 07:49:19 | 000,074,932 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/04/13 11:44:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/07 10:13:04 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/07 09:57:40 | 000,001,696 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/04/05 19:26:51 | 000,000,240 | ---- | M] () -- C:\srch_site_1.gif
[2011/04/05 19:26:50 | 000,000,380 | ---- | M] () -- C:\edu.bmp
[2011/04/05 19:26:50 | 000,000,304 | ---- | M] () -- C:\dir.bmp
[2011/04/05 19:26:50 | 000,000,284 | ---- | M] () -- C:\srch_map_1.gif
[2011/04/05 19:26:50 | 000,000,279 | ---- | M] () -- C:\hj_1.gif
[2011/04/05 19:26:50 | 000,000,277 | ---- | M] () -- C:\mov_1.gif
[2011/04/05 19:26:50 | 000,000,274 | ---- | M] () -- C:\trav_1.gif
[2011/04/05 19:26:50 | 000,000,273 | ---- | M] () -- C:\srch_stk_1.gif
[2011/04/05 19:26:50 | 000,000,268 | ---- | M] () -- C:\ab_1.gif
[2011/04/05 19:26:50 | 000,000,265 | ---- | M] () -- C:\srch_ans_1.gif
[2011/04/05 19:26:50 | 000,000,138 | ---- | M] () -- C:\flk2.gif
[2011/04/05 19:26:50 | 000,000,121 | ---- | M] () -- C:\srch_nws_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | M] () -- C:\srch_aud_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | M] () -- C:\del_1.gif
[2011/04/05 19:26:49 | 000,000,235 | ---- | M] () -- C:\srch_1.gif
[2011/04/05 19:26:49 | 000,000,131 | ---- | M] () -- C:\srch_loc_1.gif
[2011/04/05 19:26:49 | 000,000,123 | ---- | M] () -- C:\srch_sh_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | M] () -- C:\srch_vid_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | M] () -- C:\srch_img_1.gif
[2011/04/04 19:27:01 | 000,000,155 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/30 12:24:54 | 000,000,776 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\Desktop\Shortcut to BB2K12.lnk
[2011/03/30 12:21:11 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\ZZZZZ\MogFame.dat
========== Files Created - No Company Name ==========
[2011/04/26 15:21:54 | 000,009,620 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Extras.zip
[2011/04/26 15:21:46 | 000,012,618 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\OTL.zip
[2011/04/26 15:21:41 | 000,000,594 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\mbam-log-2011-04-26 (14-11-54).zip
[2011/04/26 13:57:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/25 12:45:57 | 000,005,290 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach2.zip
[2011/04/25 00:24:02 | 000,005,639 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\log2.zip
[2011/04/24 23:27:30 | 004,328,852 | R--- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\ComboFix.exe
[2011/04/24 23:02:01 | 000,005,836 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\log1.zip
[2011/04/24 22:38:23 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/24 22:38:18 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/24 22:07:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/24 22:07:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/24 22:07:12 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/24 22:07:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/24 22:07:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/22 17:11:31 | 000,000,120 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.zip
[2011/04/22 13:58:00 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\MBR.dat
[2011/04/22 11:27:23 | 2683,375,616 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/19 14:26:17 | 000,005,110 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Attach.zip
[2011/04/19 14:15:59 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\dds.scr
[2011/04/19 14:11:19 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\ERUNT.lnk
[2011/04/16 13:42:34 | 000,013,560 | -HS- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/16 13:42:34 | 000,013,560 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\y26fl6u3dlvqhk4y3xi2gf658qow21ch7426l1f62q7
[2011/04/15 23:29:46 | 000,001,876 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\OANDA fxTrade.lnk
[2011/04/15 21:51:25 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/07 10:13:04 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/05 19:26:51 | 000,000,240 | ---- | C] () -- C:\srch_site_1.gif
[2011/04/05 19:26:50 | 000,000,380 | ---- | C] () -- C:\edu.bmp
[2011/04/05 19:26:50 | 000,000,304 | ---- | C] () -- C:\dir.bmp
[2011/04/05 19:26:50 | 000,000,284 | ---- | C] () -- C:\srch_map_1.gif
[2011/04/05 19:26:50 | 000,000,279 | ---- | C] () -- C:\hj_1.gif
[2011/04/05 19:26:50 | 000,000,277 | ---- | C] () -- C:\mov_1.gif
[2011/04/05 19:26:50 | 000,000,274 | ---- | C] () -- C:\trav_1.gif
[2011/04/05 19:26:50 | 000,000,273 | ---- | C] () -- C:\srch_stk_1.gif
[2011/04/05 19:26:50 | 000,000,268 | ---- | C] () -- C:\ab_1.gif
[2011/04/05 19:26:50 | 000,000,265 | ---- | C] () -- C:\srch_ans_1.gif
[2011/04/05 19:26:50 | 000,000,138 | ---- | C] () -- C:\flk2.gif
[2011/04/05 19:26:50 | 000,000,121 | ---- | C] () -- C:\srch_nws_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | C] () -- C:\srch_aud_1.gif
[2011/04/05 19:26:50 | 000,000,113 | ---- | C] () -- C:\del_1.gif
[2011/04/05 19:26:49 | 000,000,235 | ---- | C] () -- C:\srch_1.gif
[2011/04/05 19:26:49 | 000,000,131 | ---- | C] () -- C:\srch_loc_1.gif
[2011/04/05 19:26:49 | 000,000,123 | ---- | C] () -- C:\srch_sh_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | C] () -- C:\srch_vid_1.gif
[2011/04/05 19:26:49 | 000,000,112 | ---- | C] () -- C:\srch_img_1.gif
[2011/03/31 17:08:00 | 000,001,791 | -HS- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\AlbumArtSmall.jpg
[2011/03/30 12:24:54 | 000,000,776 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Desktop\Shortcut to BB2K12.lnk
[2011/03/30 12:21:11 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\MogFame.dat
[2011/03/10 12:28:11 | 000,000,857 | -HS- | C] () -- C:\WINDOWS\System32\mmf.sys
[2009/11/11 17:26:18 | 000,067,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/11/11 16:43:53 | 000,003,625 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp m4a Codec.dat
[2009/11/11 16:42:00 | 000,003,400 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Windows Media Audio 10 Codec.dat
[2009/11/11 11:31:44 | 000,001,844 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Mp2 and BwfMp2 codec.dat
[2009/11/11 11:31:42 | 000,001,224 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Wave64 Codec.dat
[2009/11/11 11:31:40 | 000,002,228 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBPoweramp tooLame MP2 codec.dat
[2009/11/11 11:31:38 | 000,011,473 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Real Audio (Helix) Encoder.dat
[2009/11/11 11:31:26 | 000,001,206 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Dalet Codec.dat
[2009/11/11 11:31:24 | 000,003,008 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp WavPack Codec.dat
[2009/11/11 11:31:17 | 000,003,030 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
[2009/11/11 11:31:09 | 000,003,152 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
[2009/11/11 11:31:02 | 000,003,107 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
[2009/11/11 11:30:55 | 000,002,951 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp FLAC Codec.dat
[2009/11/11 11:30:48 | 000,002,843 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp [Calculate Audio CRC] Codec.dat
[2009/11/11 11:26:38 | 000,008,457 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp DSP Effects.dat
[2009/11/11 11:26:31 | 000,013,281 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-dBpoweramp Music Converter.dat
[2008/05/25 16:52:37 | 000,201,488 | ---- | C] () -- C:\WINDOWS\System32\MACD32.DLL
[2008/05/25 16:52:37 | 000,144,144 | ---- | C] () -- C:\WINDOWS\System32\MASE32.DLL
[2008/05/25 16:52:37 | 000,141,584 | ---- | C] () -- C:\WINDOWS\System32\MAMC32.DLL
[2008/05/25 16:52:37 | 000,063,248 | ---- | C] () -- C:\WINDOWS\System32\MASD32.DLL
[2008/05/25 16:52:35 | 000,033,040 | ---- | C] () -- C:\WINDOWS\System32\MA32.DLL
[2008/05/17 17:03:22 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2008/05/17 17:03:21 | 000,002,550 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2007/11/28 13:20:20 | 000,000,706 | ---- | C] () -- C:\WINDOWS\program.ini
[2007/11/28 12:47:08 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\SySVTA.dat
[2007/11/28 12:46:52 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\VCEDIT.DLL
[2007/11/28 12:46:52 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2007/03/20 23:42:15 | 000,000,155 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/17 17:47:56 | 000,007,172 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\ezplay.cat
[2006/11/17 17:47:56 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\KRNWNVYP.inf
[2006/11/17 17:47:56 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\KRNWNVYP.ini
[2006/11/17 17:47:28 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\ezpinst.exe
[2006/11/17 17:47:28 | 000,007,176 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.cat
[2006/11/17 17:47:28 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\pcouffin.inf
[2006/11/12 01:04:23 | 000,000,039 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\EV Nova License.lcs
[2006/11/12 01:04:20 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\EV Nova Prefs.prf
[2006/08/20 22:22:26 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2006/06/12 20:03:18 | 000,001,350 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/03/04 14:10:42 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/02/25 11:33:44 | 000,000,080 | RHS- | C] () -- C:\WINDOWS\System32\44EFA58560.dll
[2006/02/04 18:47:50 | 000,000,013 | ---- | C] () -- C:\WINDOWS\System32\MSVCTSCP.DLL
[2005/12/27 18:34:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/12/10 04:06:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/12/10 04:06:00 | 001,519,616 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2005/12/10 04:06:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/12/10 04:06:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2005/12/10 04:06:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/12/10 04:06:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/12/10 04:06:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/12/10 04:06:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2005/12/10 04:06:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2005/12/10 04:06:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/12/10 04:06:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/09/12 17:30:49 | 000,000,708 | ---- | C] () -- C:\WINDOWS\System32\dxamph3.dll
[2005/09/03 16:38:14 | 000,000,074 | ---- | C] () -- C:\WINDOWS\BBW_INFO.INI
[2005/07/09 12:44:00 | 000,002,654 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/05/12 17:18:32 | 006,622,072 | R--- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2005/05/04 17:45:49 | 000,000,253 | ---- | C] () -- C:\WINDOWS\WSHORTEN.INI
[2005/01/27 19:21:04 | 000,000,088 | ---- | C] () -- C:\WINDOWS\cspdbmt.INI
[2004/12/29 21:31:09 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2004/12/29 21:31:09 | 000,029,134 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2004/12/15 19:52:50 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2004/12/14 01:03:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/09/05 22:06:51 | 000,000,504 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2004/08/23 19:38:12 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/02 18:39:06 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\IWUninstall.exe
[2004/07/22 19:13:03 | 000,000,151 | ---- | C] () -- C:\WINDOWS\ae.INI
[2004/05/31 23:03:39 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\fusioncache.dat
[2004/05/30 21:10:53 | 000,014,870 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/02/10 22:16:28 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/24 14:33:40 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/01/23 23:25:02 | 000,000,174 | ---- | C] () -- C:\WINDOWS\System32\mcini.ini
[2004/01/23 19:24:35 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2004/01/18 20:46:05 | 000,060,416 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/01/14 21:03:10 | 000,001,134 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/01/14 00:27:00 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\PFP110JPR.{PB
[2004/01/14 00:27:00 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\ZZZZZ\Application Data\PFP110JCM.{PB
[2004/01/13 23:48:47 | 000,000,291 | ---- | C] () -- C:\WINDOWS\EReg072.dat
[2004/01/08 23:33:52 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/08 23:30:43 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/01/08 23:26:47 | 000,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/01/08 23:24:00 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/01/08 23:22:55 | 000,000,202 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/01/08 23:18:55 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/01/08 23:05:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/01/08 23:04:10 | 000,448,530 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/01/08 23:04:10 | 000,074,932 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/01/08 23:03:59 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/08 22:51:04 | 000,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/01/05 02:30:18 | 000,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/09/16 23:52:30 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\VORBIS.DLL
[2003/09/16 23:43:32 | 000,070,144 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2003/09/16 23:41:44 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\OGG.DLL
[2003/08/13 23:54:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/08/07 14:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2002/09/03 10:05:08 | 000,294,552 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2002/09/03 09:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 09:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 09:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 09:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[1999/03/13 19:00:56 | 000,000,136 | ---- | C] () -- C:\WINDOWS\System32\mstraps.dll
[1998/10/24 01:00:00 | 000,000,700 | -HS- | C] () -- C:\WINDOWS\xv1mdrv691928.drv
[1998/10/24 00:00:00 | 000,000,700 | -HS- | C] () -- C:\WINDOWS\System32\xv1mdrv601928.sys
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
< End of report >
Great,
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
Hi Ken,
Completed running the scan you asked. Still no popups or redirects, but it looks like ESET found a few things.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip Win32/Bagle.gen.zip worm
C:\Program Files\AIM\aim95.exe Win32/Adware.WBug.A application
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001399.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001400.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001401.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000048.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000049.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0000050.exe a variant of Win32/Kryptik.MRH trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0001139.exe a variant of Win32/Injector.FVQ trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0001312.exe a variant of Win32/Kryptik.MRH trojan
Nothing really to get excited over, one file was found in Spybots quarantine folder so open Spybot and go to Recovery and remove all thats in there
As far as the rest, all but one was in your System Restore program so lets flush it all out
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.
Please follow the steps below to create a clean restore point:
Click Start > Run > copy and paste the following into the run box:
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.
Then remove all previous Restore Points
Click Start > Run > copy and paste the following into the run box:
cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.
Lets check this one
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again
C:\Program Files\AIM\aim95.exe <--This file
If the site is busy you can try this one
http://virusscan.jotti.org/en
Hi Ken,
Followed your instructions. Log posted below. If necessary we can remove the entire program. It has not been in use for years.
And as always, thank you.
AhnLab-V3 2011.04.28.01 2011.04.28 -
AntiVir 7.11.7.75 2011.04.28 -
Antiy-AVL 2.0.3.7 2011.04.28 -
Avast 4.8.1351.0 2011.04.28 -
Avast5 5.0.677.0 2011.04.28 -
BitDefender 7.2 2011.04.28 -
CAT-QuickHeal 11.00 2011.04.28 -
ClamAV 0.97.0.0 2011.04.28 -
Commtouch 5.3.2.6 2011.04.28 -
Comodo 8506 2011.04.28 -
DrWeb 5.0.2.03300 2011.04.28 Adware.Aws
Emsisoft 5.1.0.5 2011.04.28 -
eSafe 7.0.17.0 2011.04.28 -
eTrust-Vet 36.1.8296 2011.04.28 -
F-Prot 4.6.2.117 2011.04.28 -
F-Secure 9.0.16440.0 2011.04.28 -
Fortinet 4.2.257.0 2011.04.28 -
GData 22 2011.04.28 -
Ikarus T3.1.1.103.0 2011.04.28 -
Jiangmin 13.0.900 2011.04.27 -
K7AntiVirus 9.98.4497 2011.04.27 -
Kaspersky 9.0.0.837 2011.04.28 -
McAfee 5.400.0.1158 2011.04.28 -
McAfee-GW-Edition 2010.1D 2011.04.28 -
Microsoft 1.6802 2011.04.28 -
NOD32 6078 2011.04.28 Win32/Adware.WBug.A
Norman 6.07.07 2011.04.28 -
Panda 10.0.3.5 2011.04.28 -
PCTools 7.0.3.5 2011.04.28 -
Prevx 3.0 2011.04.28 -
Rising 23.55.03.06 2011.04.28 -
Sophos 4.64.0 2011.04.28 DataApp
SUPERAntiSpyware 4.40.0.1006 2011.04.28 -
Symantec 20101.3.2.89 2011.04.28 -
TheHacker 6.7.0.1.184 2011.04.27 -
TrendMicro 9.200.0.1012 2011.04.28 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.28 -
VIPRE 9144 2011.04.28 -
ViRobot 2011.4.28.4435 2011.04.28 -
VirusBuster 13.6.325.0 2011.04.28 -
Additional informationShow all
MD5 : 908a4f292c9f20e949e2e06903e6f882
SHA1 : cc0af1beeb21b05f254e35d5267caf076849c30f
SHA256: a49203a524708de12f4c692f5e47c025617f1cd0d8c4dd6088ea174d01b93048
Well, its questionable, if you dont use it than uninstall it
How are things running now ?
Ok, will uninstall. Everything seems to be going ok otherwise. Ive only been using the computer minimally. I did not want to do anything to interfere with the cleanup process.
Go ahead and work it to death, post back in a day or two and give me an update
Will do. Is it ok to install /unistall/update programs again? Use the computer for personal banking etc....?
Well,it appears clean. Just remember to change your passwords and you should be ok
Yes, you can update programs
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Hi Ken,
Hope you had a good weekend. I used the computer all weekend and everything seemed ok. The only thing I did notice was that when I browsed certain pages I would get a warning saying "Security Alert. You are about to view pages over a secure connection". Other than that everything seemed to be running smoothly.
Thats fine, you can read this
http://www.pagedowntech.com/faq/faq.asp?faqid=84
Hi Ken,
Thank you for that information. There is one more thing I noticed during a reboot after running cleanup in OTL. While Xp was loading before the "Welcome" screen there was another light blue screen that said "Please wait.........................." for about a minute. I never saw that happen before.
Other than that everything is still running smoothly. I am so gratefull for your help and expertise. I can't thank you enough for saving my computer.
Do you have any links or suggestions about the best way to go about learning more about computer security? This recent experience has really made me want to learn more about this.
Well, OTL cleaned out a lot of the programs we used along with there backups, it may take a reboot or two before its back to normal.
As far as leaning about removing malware, you may want to think about joining our classroom, but have to tell ya its not for the weak of heart, it will take time and commitment on your part, if your interested you can sign up here
http://forums.whatthetech.com/index.php?showtopic=80368
Take care,
Ken :)
Thanks for everything Ken. I will be making a donation to the forum.
And, Thank you for the link. I dont think I will be able to find the necessary time right now for it due to other obligations, but I will seriously consider it for the future.
Best wish to you,
C.W.C :)
:bigthumb:
Take care,
Ken :)