View Full Version : Click.GiftLoad Removal Help!
soul4soul
2011-04-23, 20:24
Hi
My computer has been infected with Click.GiftLoad for about the last 5 days. my computer is experiencing all the same symptoms as this guy
(http://www.wiki.spybot.info/showthread.php?t=61892)
I know I'm new to the forum but please help! Recently i keep getting redirected when i search things on google, get fake virus reports, and my sound suddenly stops working. In general my computer is a lot slower and i have to remove the Click.GiftLoad on spybot everyday to get my computer to run normally (but it won't stop appearing!) In my task manager there are also multiple svchost.exe processes running.
also my system restore stopped working and twice i have gotten a svchost.exe error. Id say about a month ago i got one of those fake Microsoft security center viruses but i used system restore and it went away. so maybe this is just something that was left over. I actually was kinda stupid followed the help given in that thread. before i noticed the sticky saying not to do that. so now here i am posting to get some real help.
I know youll probably see this in the reports but so you know i have SB and MBAM. I installed them 5days ago right after i noticed i was getting google redirects. I use MSE for anti-virus protection, and I have CCleaner and i run it regularly (mostly after i add or remove a program). Oh Lastly i have a few times before gone into the windows registry and deleted stuff, i would search the registry for programs iv removed looking for left over information that wasnt deleted and id delete it manually.
I hope i havent done anything to stupid that is irreversible. I look forward to getting help and getting this off my computer.
.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Lord at 12:59:52.81 on Sat 04/23/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1467 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Lord\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\lord\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} -
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lord\applic~1\mozilla\firefox\profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-3-3 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-3-3 15856]
S1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-6-29 244608]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\mpksl2367828d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d425190-4599-4da0-8e2e-4ee5ec030ba3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\mpksla5c5fa87.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d169990f-bc33-4b6b-82b7-63fd0528929b}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\mpkslb0fe2e80.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0e98532-b5d7-4909-99d2-d34b8a22cbb6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\mpkslbf8fe406.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca88cd10-8669-4943-beff-1157a933ca7c}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\mpkslcefc53da.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8dc3ca08-2d57-46e5-8955-c1f1cb43d965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\mpksldf37030e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b6c30763-7f6c-421b-b864-daa92d8cf64b}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\mpksle49a001f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9ef5287b-a0b5-4213-8ccc-4d7dc910ca46}\MpKsle49a001f.sys [?]
S1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-3-3 25584]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\saibsvc.exe --> c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [?]
S2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-9-27 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnpservice11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxliveshare11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxwatch11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009 ultimate\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009 ultimate\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\common files\roxio shared\11.0\sharedcom\roxmediadb11.exe" --> c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-04-23 02:25:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-23 02:11:38 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\MpKsl3697d962.sys
2011-04-23 00:49:50 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4f3fb5b8-33ba-46f8-8e0b-f95003a87ed9}\mpengine.dll
2011-04-23 00:10:59 -------- d-sha-r- C:\cmdcons
2011-04-22 17:01:58 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44:47 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44:47 -------- d-----w- c:\documents and settings\all users\Microsoft
2011-04-21 21:39:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 16:27:15 -------- d-----w- c:\docume~1\lord\applic~1\Malwarebytes
2011-04-21 16:27:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-21 16:27:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:27:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:04:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 16:04:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-21 03:43:28 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Microsoft Help
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 18:04:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 16:00:25 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39:12 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01:01 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00:47 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59:45 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56:37 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18:21 -------- d-----w- c:\docume~1\lord\applic~1\TweakNow RegCleaner 2011
2011-04-12 17:05:13 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\Adobe
2011-04-10 03:34:22 112832 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vcexpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19:49 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45:25 -------- d-----w- c:\docume~1\lord\locals~1\applic~1\PCTeX
2011-04-05 02:44:54 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36:42 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32:30 -------- d-----w- c:\program files\gs
2011-04-01 15:50:08 -------- d-----w- c:\program files\common files\Adobe-BackupByPhotoshopCS5Portable
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJS-75VWA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8B94F0]<<
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8bf7d0]; MOV EAX, [0x8a8bf84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A8C9AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A912918]
5 SahdIa32[0xF7658939] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000066[0x8A8CC098]
7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A93FD98]
\Driver\atapi[0x8A90FEB8] -> IRP_MJ_CREATE -> 0x8A8B94F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A8B933B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:00:56.87 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Just copy and paste any logs or reports we ask for into the thread, there is no need to quote them
Your infected with a Rootkit, I am going to have you run TDSSKiller but the variant you may have may prevent it from running and if thats the case we will use another method to remove it
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
soul4soul
2011-04-26, 03:03
Hey thanks for the reply. I just want to make sure you know that I tried following the advice given in the thread I linked to. At the time I didn't realize that was the wrong thing to do.
Going to try that on my infected PC now I'll report back when I'm done.
soul4soul
2011-04-26, 03:10
I guess i cant edit my previous post. I tried running tdsskiller but it didnt work i got one of those Microsoft error reports. If it matters it got up to 80% initialized.
Your doing fine, your Master Boot Record is infected, I am going to have you run Combofix, Combofix will check to see if there is a Recovery Console installed and if not will prompt you to install one, do so because we need to fix the MBR through the Recovery Console
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
soul4soul
2011-04-26, 04:48
nothing showed about need to reinstall Microsoft recovery console.
ComboFix 11-04-25.02 - Lord 04/25/2011 21:29:25.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1399 [GMT -4:00]
Running from: c:\documents and settings\Lord\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-26 to 2011-04-26 )))))))))))))))))))))))))))))))
.
.
2011-04-22 17:01 . 2011-04-22 17:01 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-21 21:39 . 2011-04-21 21:39 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 21:26 . 2011-04-21 21:26 -------- d-----r- C:\MSOCache
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\Lord\Application Data\Malwarebytes
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-21 16:27 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:27 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:04 . 2011-04-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-21 16:04 . 2011-04-21 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 03:43 . 2011-04-21 03:43 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Microsoft Help
2011-04-20 18:04 . 2011-04-20 18:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 17:39 . 2011-04-21 14:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-20 16:00 . 2011-04-20 16:00 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39 . 2011-04-18 21:39 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59 . 2011-04-15 21:59 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56 . 2011-04-15 21:59 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18 . 2011-04-21 15:00 -------- d-----w- c:\documents and settings\Lord\Application Data\TweakNow RegCleaner 2011
2011-04-12 17:05 . 2011-04-12 17:05 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Adobe
2011-04-12 16:31 . 2011-04-12 17:07 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-10 03:34 . 2011-04-10 03:34 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\windows\symbols
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45 . 2011-04-05 02:45 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\PCTeX
2011-04-05 02:44 . 2011-04-05 02:44 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36 . 2011-04-01 16:36 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32 . 2011-04-01 16:32 -------- d-----w- c:\program files\gs
2011-04-01 15:50 . 2011-04-12 16:38 -------- d-----w- c:\program files\Common Files\Adobe-BackupByPhotoshopCS5Portable
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-10 18:02 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 17:51 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 17:51 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 17:51 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2004-08-10 17:51 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2004-08-10 17:51 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 17:51 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 17:51 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-16 19:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 17:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:01 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 17:51 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 17:51 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 17:51 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 17:51 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11 . 2010-04-23 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-10 18:01 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-10 18:01 677888 ------w- c:\windows\system32\mstsc.exe
2011-03-18 17:53 . 2011-04-21 17:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
.
c:\documents and settings\Lord\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-05-28 21:32 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-21 14:55 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/3/2009 5:47 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/3/2009 5:47 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [6/29/2009 4:07 PM 244608]
R1 MpKsle016af81;MpKsle016af81;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0F808FE6-9676-4AE7-8497-F09D69E1B99A}\MpKsle016af81.sys [4/25/2011 9:20 PM 28752]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/3/2009 5:47 PM 25584]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys [?]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [9/27/2010 8:40 PM 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLE016AF81
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-04-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
FF - ProfilePath - c:\documents and settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 21:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500AAJS-75VWA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A6EE33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1592)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-25 21:43:25
ComboFix-quarantined-files.txt 2011-04-26 01:43
.
Pre-Run: 149,452,779,520 bytes free
Post-Run: 150,374,219,776 bytes free
.
- - End Of File - - 3D3E20154610CA198B8BE5D9014E051D
soul4soul
2011-04-26, 05:57
Oh ya you will see in that log there is something call "nvcpl.dll" i believe it is for my graphics card. It always puts itself back in startup even after i disable it with CCleaner is there a way to stop it from doing that? In that log at the bottom i noticed something called conduit. A while back a toolbar was installed on my PC it was called Conduit Engine im still not confident all traces of it have been removed and that program seemed like trouble. So if you know anything about it perhaps you can make sure all of that program is removed too I thought it was but now that i see it on that log im worried. Last what is a good website to read about rootkits, what are they?
I hope none of this is a bother it seems relevant especially that conduit engine.
thanks for the help so far.
I am more concerned about the Rootkit, we can look for other stuff to remove later
Just copy and paste any logs or reports we ask for into the thread, there is no need to quote them
Combofix did not install the recovery console because it detected one on your system, be back in a bit
soul4soul
2011-04-26, 16:11
alright sorry about that. i wont anymore.
Thanks, just easier for me to analyze. We need to fix your Master Boot Record but before we run the fix I want to make sure it will work on your manufacturer installed Recovery Console.
Just hang in, I will be back as soon as I can
soul4soul
2011-04-26, 19:34
No problem. Im glad your checking before we just go at it.
What is the brand of your computer ?
When you go to My Computer , do you see a recovery partition ? Most likely D:
soul4soul
2011-04-26, 20:54
i have a dell vostro 400 (not a mini tower)
when i open up my computer i dont see a recovery partition only my C: drive. But when i turn on the pc i have 3 options to choice from which i never use to have before. one of them says microsoft windows recovery console.
Great, this is where were at. Your Master Boot Record is infected with a Rootkit and we need to remove it and write a new MBR, the only problem is that with a Dell, you have a recovery partition , you can use that to bring your system back to the day you purchased it, that partition will be gone so if you want to proceed , we can but its advisable to contact Dell and order Recovery Disks for your system.
This is what we need to do
Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RC_BootMenu.gif
When you get to the above screen, take note of the number that references your operating system.
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_A.png
If it's '1' like the picture above, type 1 and press Enter
It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_Fixmbr.png
Next type FIXMBR
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_FixmbrB.png
If it asks if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.
soul4soul
2011-04-27, 04:08
Im not worried about losing that partition i didnt even know it existed. I have all the original discs from dell if i need them and if i were or needed to do a complete re-install id go with win7 so removing that is no problem for me. Will that partition space be completely lost? (i know its not a lot of space im just a little curious)
Alright im all done. My PC restarted normally.
:bigthumb:
Sometimes these rootkits bring friends along for a ride, lets check
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
soul4soul
2011-04-27, 16:00
i already had mbam i updated the database before i ran a scan
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6456
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
4/27/2011 8:59:27 AM
mbam-log-2011-04-27 (08-59-27).txt
Scan type: Quick scan
Objects scanned: 163868
Time elapsed: 3 minute(s), 4 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Lets run this scan and let me know how things are running now ?
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
soul4soul
2011-04-27, 23:06
MBAM always showed up as clean.
here is the first log OTL.txt
OTL logfile created on: 4/27/2011 3:56:14 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lord\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 139.77 Gb Free Space | 60.04% Space Free | Partition Type: NTFS
Computer Name: ALEX | User Name: Lord | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (RoxWatch11) -- File not found
SRV - (RoxMediaDB11) -- File not found
SRV - (RoxLiveShare11) -- File not found
SRV - (Roxio Upnp Server 11) -- File not found
SRV - (Roxio UPnP Renderer 11) -- File not found
SRV - (getPlus(R) Helper) getPlus(R) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (KMService) -- C:\WINDOWS\system32\srvany.exe ()
SRV - (RoxWatch12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe (Sonic Solutions)
SRV - (RoxMediaDB12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe (Sonic Solutions)
SRV - (CinemaNow Service) -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
========== Driver Services (SafeList) ==========
DRV - (c2scsi) -- C:\WINDOWS\System32\drivers\c2scsi.sys (Sonic Solutions)
DRV - (SaibVd32) -- C:\WINDOWS\system32\drivers\SaibVd32.sys (Sonic Solutions)
DRV - (SahdIa32) -- C:\WINDOWS\System32\Drivers\SahdIa32.sys (Sonic Solutions)
DRV - (SaibIa32) -- C:\WINDOWS\System32\Drivers\SaibIa32.sys (Sonic Solutions)
DRV - (RsFx0103) -- C:\WINDOWS\system32\drivers\RsFx0103.sys (Microsoft Corporation)
DRV - (RxFilter) -- C:\WINDOWS\system32\drivers\RxFilter.sys (Sonic Solutions)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LHidKe) -- C:\WINDOWS\system32\drivers\LHidKE.Sys (Logitech Inc.)
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech Inc.)
DRV - (TIEHDUSB) -- C:\WINDOWS\system32\drivers\tiehdusb.sys (Texas Instruments Incorporated)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 55273
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 8888
FF - prefs.js..network.proxy.type: 0
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/05/21 10:56:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/04/01 11:52:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/21 13:58:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2010/07/09 09:54:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Extensions
[2011/03/11 10:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions
[2010/04/28 15:14:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/22 13:45:06 | 000,000,000 | ---D | M] (RedShift V3) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\redshift_V2@shift-themes.com
[2009/08/01 23:16:25 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\searchplugins\search-the-web.xml
[2011/04/21 13:58:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\{CD6C4EBF-366E-45A0-98B5-B8217288EED7}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2010/04/08 06:58:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/18 13:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
O1 HOSTS File: ([2011/04/22 20:27:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Oracle)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Oracle)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/27 15:55:01 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 09:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/04/27 08:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/27 08:54:59 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:25:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/25 21:25:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/25 21:25:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/25 21:25:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/25 21:25:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/25 20:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\tdsskiller
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/23 12:56:42 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/22 22:25:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/04/22 20:54:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lord\Recent
[2011/04/22 20:10:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/22 20:06:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/22 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\CP-Autos
[2011/04/22 12:22:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/22 12:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/21 18:06:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Microsoft
[2011/04/21 17:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/04/21 17:26:20 | 000,000,000 | R--D | C] -- C:\MSOCache
[2011/04/21 13:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/04/21 12:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Malwarebytes
[2011/04/21 12:27:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/21 12:27:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/21 12:27:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/21 12:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/21 10:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/21 10:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 23:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Microsoft Help
[2011/04/20 23:35:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/04/20 15:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\(DONE) African Diaspora Mathematics Compendium, Volume 4-ALL LATEX
[2011/04/20 14:04:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Help
[2011/04/20 12:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/20 12:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/20 12:00:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sonic
[2011/04/19 16:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\world
[2011/04/18 17:39:12 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/04/15 18:01:01 | 000,050,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2011/04/15 18:00:47 | 000,079,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2011/04/15 17:59:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RsFx
[2011/04/15 17:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/04/15 15:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/12 14:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Products
[2011/04/12 13:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Adobe
[2011/04/12 12:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Adobe
[2011/04/12 12:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/12 09:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Transmission Lines Theory, Types and Applications
[2011/04/08 18:19:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\symbols
[2011/04/08 18:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Help Viewer
[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\PCTeX
[2011/04/04 22:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PCTeX
[2011/04/04 22:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\PCTeX
[2011/04/01 16:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\My Documents\My PCTeX Files
[2011/04/01 12:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\Ghostgum
[2011/04/01 12:32:30 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2011/04/01 11:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe-BackupByPhotoshopCS5Portable
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/03/31 10:18:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Machine Tools Design, Reliability and Safety
[2011/03/31 10:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Advances in Sociology Research Volume 10
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/04/27 15:55:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 15:51:37 | 000,235,289 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/04/27 15:51:10 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/27 15:50:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/27 15:50:48 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/27 08:57:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/27 08:55:00 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:24:11 | 004,330,054 | R--- | M] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:08:04 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/23 13:01:47 | 000,003,801 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/23 12:56:43 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/23 12:31:24 | 000,340,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/22 20:27:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/22 20:11:06 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/22 20:09:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 18:37:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/21 13:58:48 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 13:10:49 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/20 07:14:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/18 18:53:58 | 000,000,019 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/04/18 18:32:29 | 000,630,932 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/18 18:32:29 | 000,136,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/18 17:44:31 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/12 12:43:14 | 000,011,495 | ---- | M] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/04/09 23:23:58 | 000,000,165 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/08 16:42:37 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Remere's Map Editor.lnk
[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:04 | 000,000,750 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 12:03:59 | 000,014,183 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/04/25 21:25:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/25 21:25:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/25 21:25:52 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/25 21:25:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/25 21:25:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/25 21:24:05 | 004,330,054 | R--- | C] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:07:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:06 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/23 13:01:47 | 000,003,801 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/22 20:11:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/21 13:58:48 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 14:02:01 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 13:10:49 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/09 23:23:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/04 22:45:04 | 000,000,750 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 11:15:30 | 000,014,183 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2011/04/01 12:36:46 | 000,011,495 | ---- | C] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/02/06 11:34:25 | 009,566,435 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3908872593-1432629759-1091945336-1006-0.dat
[2011/02/06 11:34:10 | 000,347,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/09/27 20:40:55 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\srvany.exe
[2010/07/09 00:20:09 | 001,708,496 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/20 20:08:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/26 20:10:47 | 000,055,809 | ---- | C] () -- C:\WINDOWS\CP-FPCOS100.dll
[2009/12/04 15:07:54 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/23 22:09:27 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2009/06/21 11:53:14 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/06/10 08:29:34 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 08:29:34 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/06/10 08:29:34 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 08:29:34 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 08:29:34 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/06/10 08:29:34 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/06/10 08:29:32 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/10 06:03:00 | 001,580,550 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/03/07 13:41:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/01/25 01:45:09 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/01/24 13:25:42 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/10/13 15:48:47 | 000,072,516 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/08/12 09:29:05 | 001,245,696 | ---- | C] () -- C:\WINDOWS\System32\QtNetwork4.dll
[2008/08/12 09:29:05 | 000,505,344 | ---- | C] () -- C:\WINDOWS\System32\QtXml4.dll
[2008/08/01 10:16:24 | 000,063,984 | ---- | C] () -- C:\WINDOWS\DVDRGN.EXE
[2008/07/29 15:50:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\msnmsgr.exe.ini
[2008/06/21 12:44:05 | 010,436,608 | ---- | C] () -- C:\WINDOWS\System32\QtGui4.dll
[2008/06/21 12:44:05 | 002,660,864 | ---- | C] () -- C:\WINDOWS\System32\QtCore4.dll
[2008/06/21 12:44:05 | 000,015,960 | ---- | C] () -- C:\WINDOWS\System32\mingwm10.dll
[2008/05/22 15:52:33 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/05/21 22:32:49 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/21 21:55:45 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/05/21 20:59:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/05/16 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/16 19:04:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/16 18:45:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/05/16 18:44:22 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,340,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,630,932 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,136,800 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
========== LOP Check ==========
[2010/04/24 15:18:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CinemaNow
[2010/02/18 16:32:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PhotoShow Shared Assets
[2008/10/26 21:29:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/12/18 19:16:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/02/18 16:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2010/12/06 17:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/02/18 16:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/07/22 13:32:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/04/22 20:54:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\BitTorrent
[2011/04/20 15:06:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\FileZilla
[2010/12/13 15:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Notepad++
[2010/08/31 10:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Remere's Map Editor
[2011/01/31 22:37:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\Tibia
[2011/04/21 11:00:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/27 15:58:29 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:DocumentSummaryInformation
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Lord\Desktop\template.dmsd:Roxio EMC Stream
@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مايكروسوفت
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\Lord\My Documents\its my life.doc:SummaryInformation
< End of report >
soul4soul
2011-04-27, 23:07
OTL Extras logfile created on: 4/27/2011 3:56:14 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lord\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 139.77 Gb Free Space | 60.04% Space Free | Partition Type: NTFS
Computer Name: ALEX | User Name: Lord | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
[HKEY_USERS\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe" = C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe:*:Enabled:CinemaNow Media Manager -- (CinemaNow Inc.)
"C:\Program Files\Roxio 2010\Venue\Venue.exe" = C:\Program Files\Roxio 2010\Venue\Venue.exe:*:Enabled:Roxio Venue -- (Sonic Solutions)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\UniServer\usr\local\mysql\bin\mysqld-opt.exe" = C:\UniServer\usr\local\mysql\bin\mysqld-opt.exe:*:Enabled:mysqld-opt -- ()
"C:\UniServer\usr\local\apache2\bin\Apache.exe" = C:\UniServer\usr\local\apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Oracle)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{1C997E1C-5CE9-4AF3-AAA9-DC65E6090827}" = Microsoft Expression Blend SDK for Silverlight 4
"{1D53B6F9-E66E-42D8-A221-4FF8AC134FD7}" = Roxio Activation Module
"{2012098D-EEE9-4769-8DD3-B038050854D4}" = Microsoft Silverlight 3 SDK
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{256E7DAC-9BE8-494E-8DE7-7857BF96B774}" = Microsoft Expression Blend 3 SDK
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java(TM) 6 Update 21
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3383136B-4F86-4F05-8612-DD4BB16A1EAE}" = Roxio Central
"{33AE9E89-47C9-4A0D-9E9D-BDD6966A3804}" = Microsoft SQL Server 2008 RsFx Driver
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{38F48AED-66D8-464C-993E-C7296C7A199B}" = Intel(R) IPP Run-Time Installer 5.2 for Windows* on IA-32
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{46578609-AD6D-4E69-AC8F-28B89C090F3B}" = Roxio Creator 2010 Pro
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{5491453D-8C3E-4785-AC5C-E9A4DABF378A}" = Roxio Venue
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}" = SnagIt 9
"{5A06423A-210C-49FB-950E-CB0EB8C5CEC7}" = Roxio BackOnTrack
"{5F8D931D-B230-47F3-A9C0-0C8CA459A332}" = Microsoft Expression Web 4
"{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}" = Roxio File Backup
"{65A79175-3C4C-41F4-92AF-BA1DDDBA0626}" = Roxio Burn Manager CDB
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C122441-1861-4CD7-B1C5-A163A6984E12}" = CinemaNow Media Manager
"{733CDF24-0A93-426E-AA89-DF281EB54793}" = Roxio CinePlayer
"{74DC8A26-4E05-40B6-AD11-C9428A1AE150}" = Roxio Creator 2010 Pro
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel(R) PRO Network Connections 12.1.12.0
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{801B0DA3-A3FF-46CC-B97F-D76D510AF5AE}" = Microsoft Silverlight 4 SDK
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{86DDDAAD-AEB9-42E5-BE01-0E8FABD2BB29}" = Roxio Video Capture USB
"{87A83C6F-F53C-448A-B078-FF00E3EAEB29}" = Roxio Disaster Recovery
"{89A15676-78AE-4D51-BF5B-DEE3E0D46C94}" = Roxio Creator 2010 Pro
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 14
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{906C01EE-B242-4197-AE85-6C506E1B869B}" = Roxio Burn Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A00EC4E-27E1-42C4-98DD-662F32AC8870}" = Roxio CinePlayer Decoder Pack
"{9B3A1C97-A361-463E-8817-444F9F88CDFE}" = Microsoft Expression Blend SDK for .NET 4
"{9CBEAEF3-C6BA-4F0F-8DC2-03B12BC8CF2F}" = Remere's Map Editor
"{A06FE62B-CEBC-4E94-AED8-92DCC33BC8EA}" = Microsoft Expression Studio 4
"{A121EEDE-C68F-461D-91AA-D48BA226AF1C}" = Roxio Activation Module
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A33E7B0C-B99C-4EC9-B702-8A328B161AF9}" = Roxio Burn
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}" = Microsoft .NET Framework 4 Multi-Targeting Pack
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"7-Zip" = 7-Zip 9.10 beta
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BitTorrent" = BitTorrent
"CCleaner" = CCleaner
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09
"ERUNT_is1" = ERUNT 1.1j
"ExpressionStudio_4.0.20525.0" = Microsoft Expression Studio 4
"FileZilla Client" = FileZilla Client 3.4.0
"GPL Ghostscript 9.00" = GPL Ghostscript 9.00
"GSview 4.9" = GSview 4.9
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Security Client" = Microsoft Security Essentials
"mIRC" = mIRC
"Mozilla Firefox 4.0 (x86 en-US)" = Mozilla Firefox 4.0 (x86 en-US)
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"PCTeXv5_is1" = PCTeX version 5.0
"PopCap Browser Plugin" = PopCap Browser Plugin
"RealPlayer 12.0" = RealPlayer
"SearchAssist" = SearchAssist
"VLC media player" = VLC media player 1.1.6
"Web_4.0.1165.0" = Microsoft Expression Web 4
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 4/22/2011 10:14:49 PM | Computer Name = ALEX | Source = Application Error | ID = 1001
Description = Fault bucket 1783041387.
Error - 4/22/2011 10:18:44 PM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application TDSSKiller.exe, version 2.4.21.0, faulting module
TDSSKiller.exe, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/22/2011 10:21:27 PM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application 123abc.com, version 2.4.21.0, faulting module
123abc.com, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/23/2011 10:27:45 AM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application 123abc.com, version 2.4.21.0, faulting module
123abc.com, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/23/2011 12:25:30 PM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application 123abc.com, version 2.4.21.0, faulting module
123abc.com, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/23/2011 12:42:41 PM | Computer Name = ALEX | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 4/25/2011 8:08:42 PM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application TDSSKiller.exe, version 2.4.21.0, faulting module
TDSSKiller.exe, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/25/2011 8:09:56 PM | Computer Name = ALEX | Source = Application Error | ID = 1000
Description = Faulting application TDSSKiller.exe, version 2.4.21.0, faulting module
TDSSKiller.exe, version 2.4.21.0, fault address 0x00056ec9.
Error - 4/25/2011 9:31:42 PM | Computer Name = ALEX | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072efd, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
Error - 4/27/2011 9:02:41 AM | Computer Name = ALEX | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.
[ OSession Events ]
Error - 11/2/2009 9:29:05 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 11/2/2009 9:36:33 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 11/15/2009 7:24:39 PM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 12/9/2009 9:20:36 PM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 12/16/2009 6:11:36 PM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 1/8/2010 2:43:33 PM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 2/24/2010 11:32:29 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 3/25/2010 6:34:07 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 5/4/2010 6:58:59 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
Error - 5/15/2010 10:58:34 AM | Computer Name = ALEX | Source = Microsoft Office 12 Sessions | ID = 7001
Description =
[ System Events ]
Error - 4/20/2011 10:50:46 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:46 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
Error - 4/20/2011 10:50:47 PM | Computer Name = ALEX | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126
< End of report >
Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
soul4soul
2011-04-28, 04:29
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
One more scanner and you will be good to go
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
soul4soul
2011-04-28, 17:37
no threats found.
I did a scan with spybot (i didnt fix the problem). It still finds click.giftload. I dont get google redirects anymore and my start up time seems like its close to normal. I have 8 svchos.exes running (dont know how many there are suppose to be). I feel like firefox is slow still and unresponsive when first starting up but other then that things appear to be back to normal.
You may want to open up Firefox and disable some of your Add Ons, you may have one thats causing problems
svchost is a normal part of windows unless its been disguised as a virus, like the one for Click.Giftload.
This should remove it
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
:Services
:Reg
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
"svchost.exe"=-
:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
soul4soul
2011-04-28, 23:26
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\\svchost.exe deleted successfully.
========== FILES ==========
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Lord\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Lord\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home
IP Address. . . . . . . . . . . . : 192.168.1.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Documents and Settings\Lord\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Lord\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Lord\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Lord\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 7235 bytes
User: Lord
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 57921995 bytes
->Flash cache emptied: 13203 bytes
User: NetworkService
->Temp folder emptied: 13942 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 45104 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 889314 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4156438 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 60.00 mb
OTL by OldTimer - Version 3.2.22.3 log created on 04282011_161725
Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_834.dat moved successfully.
Registry entries deleted on Reboot...
soul4soul
2011-04-28, 23:58
oh i only have 3 firefox addons. iv tried it a few times now and its starting to get better.
OTL logfile created on: 4/28/2011 4:53:45 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lord\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 142.50 Gb Free Space | 61.22% Space Free | Partition Type: NTFS
Computer Name: ALEX | User Name: Lord | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (RoxWatch11) -- File not found
SRV - (RoxMediaDB11) -- File not found
SRV - (RoxLiveShare11) -- File not found
SRV - (Roxio Upnp Server 11) -- File not found
SRV - (Roxio UPnP Renderer 11) -- File not found
SRV - (getPlus(R) Helper) getPlus(R) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (KMService) -- C:\WINDOWS\system32\srvany.exe ()
SRV - (RoxWatch12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe (Sonic Solutions)
SRV - (RoxMediaDB12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe (Sonic Solutions)
SRV - (CinemaNow Service) -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
========== Driver Services (SafeList) ==========
DRV - (c2scsi) -- C:\WINDOWS\System32\drivers\c2scsi.sys (Sonic Solutions)
DRV - (SaibVd32) -- C:\WINDOWS\system32\drivers\SaibVd32.sys (Sonic Solutions)
DRV - (SahdIa32) -- C:\WINDOWS\System32\Drivers\SahdIa32.sys (Sonic Solutions)
DRV - (SaibIa32) -- C:\WINDOWS\System32\Drivers\SaibIa32.sys (Sonic Solutions)
DRV - (RsFx0103) -- C:\WINDOWS\system32\drivers\RsFx0103.sys (Microsoft Corporation)
DRV - (RxFilter) -- C:\WINDOWS\system32\drivers\RxFilter.sys (Sonic Solutions)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LHidKe) -- C:\WINDOWS\system32\drivers\LHidKE.Sys (Logitech Inc.)
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech Inc.)
DRV - (TIEHDUSB) -- C:\WINDOWS\system32\drivers\tiehdusb.sys (Texas Instruments Incorporated)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 55273
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 8888
FF - prefs.js..network.proxy.type: 0
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/05/21 10:56:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/04/01 11:52:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/21 13:58:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2010/07/09 09:54:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Extensions
[2011/03/11 10:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions
[2010/04/28 15:14:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/22 13:45:06 | 000,000,000 | ---D | M] (RedShift V3) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\redshift_V2@shift-themes.com
[2009/08/01 23:16:25 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\searchplugins\search-the-web.xml
[2011/04/21 13:58:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\{CD6C4EBF-366E-45A0-98B5-B8217288EED7}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2010/04/08 06:58:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/18 13:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
O1 HOSTS File: ([2011/04/28 16:17:33 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Oracle)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Oracle)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKU\S-1-5-21-3908872593-1432629759-1091945336-1006\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/28 16:17:25 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/28 08:15:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/28 08:13:20 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Lord\Desktop\esetsmartinstaller_enu.exe
[2011/04/27 15:55:01 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 09:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2011/04/27 08:55:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/27 08:54:59 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:25:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/25 21:25:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/25 21:25:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/25 21:25:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/25 21:25:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/25 20:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\tdsskiller
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/23 12:56:42 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/22 22:25:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/04/22 20:54:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lord\Recent
[2011/04/22 20:10:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/22 20:06:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/22 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\CP-Autos
[2011/04/22 12:22:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/22 12:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/21 18:06:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Microsoft
[2011/04/21 17:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/04/21 17:26:20 | 000,000,000 | R--D | C] -- C:\MSOCache
[2011/04/21 13:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/04/21 12:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Malwarebytes
[2011/04/21 12:27:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/21 12:27:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/21 12:27:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/21 12:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/21 10:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/21 10:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 23:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Microsoft Help
[2011/04/20 23:35:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/04/20 15:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\(DONE) African Diaspora Mathematics Compendium, Volume 4-ALL LATEX
[2011/04/20 14:04:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Help
[2011/04/20 12:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/20 12:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/20 12:00:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sonic
[2011/04/19 16:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\world
[2011/04/18 17:39:12 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/04/15 18:01:01 | 000,050,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2011/04/15 18:00:47 | 000,079,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2011/04/15 17:59:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RsFx
[2011/04/15 17:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/04/15 15:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/12 14:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Products
[2011/04/12 13:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Adobe
[2011/04/12 12:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Adobe
[2011/04/12 12:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/12 09:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Transmission Lines Theory, Types and Applications
[2011/04/08 18:19:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\symbols
[2011/04/08 18:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Help Viewer
[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\PCTeX
[2011/04/04 22:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PCTeX
[2011/04/04 22:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\PCTeX
[2011/04/01 16:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\My Documents\My PCTeX Files
[2011/04/01 12:36:42 | 000,000,000 | ---D | C] -- C:\Program Files\Ghostgum
[2011/04/01 12:32:30 | 000,000,000 | ---D | C] -- C:\Program Files\gs
[2011/04/01 11:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe-BackupByPhotoshopCS5Portable
[2011/04/01 11:50:08 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/03/31 10:18:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Machine Tools Design, Reliability and Safety
[2011/03/31 10:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Advances in Sociology Research Volume 10
========== Files - Modified Within 30 Days ==========
[2011/04/28 16:26:06 | 000,235,289 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/04/28 16:24:29 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/28 16:19:18 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/28 16:19:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/28 16:19:13 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/28 16:17:33 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/28 08:13:22 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Lord\Desktop\esetsmartinstaller_enu.exe
[2011/04/27 18:23:02 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/27 18:13:21 | 000,453,632 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\CKScanner.exe
[2011/04/27 15:55:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 08:55:00 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:24:11 | 004,330,054 | R--- | M] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:08:04 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/23 13:01:47 | 000,003,801 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/23 12:56:43 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/23 12:31:24 | 000,340,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/22 20:11:06 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/22 20:09:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/22 18:37:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/04/21 13:58:48 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 12:27:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 13:10:49 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/20 07:14:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/18 18:53:58 | 000,000,019 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/04/18 18:32:29 | 000,630,932 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/18 18:32:29 | 000,136,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/18 17:44:31 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/12 12:43:14 | 000,011,495 | ---- | M] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/04/09 23:23:58 | 000,000,165 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/08 16:42:37 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Remere's Map Editor.lnk
[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:04 | 000,000,750 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 12:03:59 | 000,014,183 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
========== Files Created - No Company Name ==========
[2011/04/27 18:13:20 | 000,453,632 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\CKScanner.exe
[2011/04/25 21:25:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/25 21:25:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/25 21:25:52 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/25 21:25:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/25 21:25:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/25 21:24:05 | 004,330,054 | R--- | C] () -- C:\Documents and Settings\Lord\Desktop\Combo-Fix.exe
[2011/04/25 20:07:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:06 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/23 13:01:47 | 000,003,801 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/22 20:11:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/21 13:58:48 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 14:02:01 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 13:10:49 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/09 23:23:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/04 22:45:04 | 000,000,750 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 11:15:30 | 000,014,183 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2011/04/01 12:36:46 | 000,011,495 | ---- | C] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/02/06 11:34:25 | 009,566,435 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3908872593-1432629759-1091945336-1006-0.dat
[2011/02/06 11:34:10 | 000,347,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/09/27 20:40:55 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\srvany.exe
[2010/07/09 00:20:09 | 001,708,496 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/20 20:08:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/26 20:10:47 | 000,055,809 | ---- | C] () -- C:\WINDOWS\CP-FPCOS100.dll
[2009/12/04 15:07:54 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/23 22:09:27 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2009/06/21 11:53:14 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/06/10 08:29:34 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 08:29:34 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/06/10 08:29:34 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 08:29:34 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 08:29:34 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/06/10 08:29:34 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/06/10 08:29:32 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/10 06:03:00 | 001,580,550 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/03/07 13:41:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/01/25 01:45:09 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/01/24 13:25:42 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/10/13 15:48:47 | 000,072,516 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/08/12 09:29:05 | 001,245,696 | ---- | C] () -- C:\WINDOWS\System32\QtNetwork4.dll
[2008/08/12 09:29:05 | 000,505,344 | ---- | C] () -- C:\WINDOWS\System32\QtXml4.dll
[2008/08/01 10:16:24 | 000,063,984 | ---- | C] () -- C:\WINDOWS\DVDRGN.EXE
[2008/07/29 15:50:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\msnmsgr.exe.ini
[2008/06/21 12:44:05 | 010,436,608 | ---- | C] () -- C:\WINDOWS\System32\QtGui4.dll
[2008/06/21 12:44:05 | 002,660,864 | ---- | C] () -- C:\WINDOWS\System32\QtCore4.dll
[2008/06/21 12:44:05 | 000,015,960 | ---- | C] () -- C:\WINDOWS\System32\mingwm10.dll
[2008/05/22 15:52:33 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/05/21 22:32:49 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/21 21:55:45 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/05/21 20:59:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/05/16 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/16 19:04:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/16 18:45:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/05/16 18:44:22 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,340,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,630,932 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,136,800 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:DocumentSummaryInformation
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Lord\Desktop\template.dmsd:Roxio EMC Stream
@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مايكروسوفت
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\Lord\My Documents\its my life.doc:SummaryInformation
< End of report >
soul4soul
2011-04-29, 18:55
hey didnt mean to take so long to respond iv just be testing and using my PC making sure its all back to normal. It seems alright MS office will only open my old files in safe mode but besides that my system seems good. ran another scan with spybot and nothing showed up.
I missed what you have done, did you reinstall windows ?
Run another scan with ESET
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
soul4soul
2011-04-29, 23:29
no i didnt reinstall windows. just finished the scan nothing showed up.
Drag Combofix to the trash and lets download a fresh copy
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
soul4soul
2011-04-30, 00:41
here you go the new combofix log
ComboFix 11-04-29.02 - Lord 04/29/2011 17:30:00.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Lord\Desktop\Com-boFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 15:28 . 2011-04-29 15:28 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8163993A-6F08-4E99-99F1-5CCE44669335}\MpKsl38d01e17.sys
2011-04-29 01:35 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8163993A-6F08-4E99-99F1-5CCE44669335}\mpengine.dll
2011-04-28 20:17 . 2011-04-28 20:17 -------- d-----w- C:\_OTL
2011-04-28 12:15 . 2011-04-28 12:15 -------- d-----w- c:\program files\ESET
2011-04-22 17:01 . 2011-04-22 17:01 -------- d-----w- c:\program files\CP-Autos
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-21 21:44 . 2011-04-21 21:44 -------- d-----w- c:\documents and settings\All Users\Microsoft
2011-04-21 21:39 . 2011-04-21 21:39 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-04-21 21:26 . 2011-04-21 21:26 -------- d-----r- C:\MSOCache
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\Lord\Application Data\Malwarebytes
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-21 16:27 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-21 16:27 . 2011-04-21 16:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-21 16:27 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 16:04 . 2011-04-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-21 16:04 . 2011-04-21 16:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-21 03:43 . 2011-04-21 03:43 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Microsoft Help
2011-04-20 18:04 . 2011-04-20 18:04 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 17:39 . 2011-04-21 14:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-04-20 16:00 . 2011-04-20 16:00 -------- d-----w- c:\windows\Sonic
2011-04-18 21:39 . 2011-04-18 21:39 -------- d-----w- c:\program files\Bonjour
2011-04-15 22:01 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-04-15 22:00 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-04-15 21:59 . 2011-04-15 21:59 -------- d-----w- c:\windows\system32\RsFx
2011-04-15 21:56 . 2011-04-15 21:59 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-15 19:18 . 2011-04-21 15:00 -------- d-----w- c:\documents and settings\Lord\Application Data\TweakNow RegCleaner 2011
2011-04-12 17:05 . 2011-04-12 17:05 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\Adobe
2011-04-12 16:31 . 2011-04-12 17:07 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-10 03:34 . 2011-04-10 03:34 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\windows\symbols
2011-04-08 22:19 . 2011-04-08 22:19 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-05 02:45 . 2011-04-05 02:45 -------- d-----w- c:\documents and settings\Lord\Local Settings\Application Data\PCTeX
2011-04-05 02:44 . 2011-04-05 02:44 -------- d-----w- c:\program files\PCTeX
2011-04-01 16:36 . 2011-04-01 16:36 -------- d-----w- c:\program files\Ghostgum
2011-04-01 16:32 . 2011-04-01 16:32 -------- d-----w- c:\program files\gs
2011-04-01 15:50 . 2011-04-12 16:38 -------- d-----w- c:\program files\Common Files\Adobe-BackupByPhotoshopCS5Portable
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 13:15 . 2010-08-05 13:06 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2004-08-10 18:02 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 17:51 434176 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 17:51 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-10 17:51 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 17:51 61952 ------w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2004-08-10 17:51 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2004-08-10 17:51 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 17:51 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 17:51 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-16 19:04 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 17:50 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-10 18:01 229888 ------w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2004-08-10 17:51 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-10 17:51 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-10 17:51 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 17:51 974848 ------w- c:\windows\system32\mfc42u.dll
2011-02-02 22:11 . 2010-04-23 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-10 18:01 2067456 ------w- c:\windows\system32\mstscax.dll
2011-04-29 00:40 . 2011-04-21 17:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-26_01.39.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-29 15:28 . 2011-04-29 15:28 16384 c:\windows\Temp\Perflib_Perfdata_8e4.dat
+ 2011-04-29 15:28 . 2011-04-29 15:28 16384 c:\windows\Temp\Perflib_Perfdata_31c.dat
+ 2010-06-04 15:07 . 2011-04-27 13:02 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-04 15:07 . 2011-02-15 21:00 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-04-29 15:28 . 2011-04-29 15:28 331776 c:\windows\ERDNT\AutoBackup\4-29-2011\Users\00000002\UsrClass.dat
+ 2011-04-29 15:28 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\4-29-2011\ERDNT.EXE
+ 2011-04-28 12:11 . 2011-04-28 12:11 331776 c:\windows\ERDNT\AutoBackup\4-28-2011\Users\00000002\UsrClass.dat
+ 2011-04-28 12:11 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\4-28-2011\ERDNT.EXE
+ 2011-04-27 12:52 . 2011-04-27 12:52 331776 c:\windows\ERDNT\AutoBackup\4-27-2011\Users\00000002\UsrClass.dat
+ 2011-04-27 12:52 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\4-27-2011\ERDNT.EXE
+ 2011-04-26 17:45 . 2011-04-26 17:45 331776 c:\windows\ERDNT\AutoBackup\4-26-2011\Users\00000002\UsrClass.dat
+ 2011-04-26 17:45 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\4-26-2011\ERDNT.EXE
+ 2008-05-22 01:11 . 2011-04-18 19:46 42181064 c:\windows\system32\MRT.exe
+ 2011-04-27 13:02 . 2011-04-27 13:02 20314624 c:\windows\Installer\9c5ec.msp
+ 2011-04-29 15:28 . 2011-04-29 15:28 17956864 c:\windows\ERDNT\AutoBackup\4-29-2011\Users\00000001\ntuser.dat
+ 2011-04-28 12:11 . 2011-04-28 12:11 17956864 c:\windows\ERDNT\AutoBackup\4-28-2011\Users\00000001\ntuser.dat
+ 2011-04-27 12:52 . 2011-04-27 12:52 17948672 c:\windows\ERDNT\AutoBackup\4-27-2011\Users\00000001\ntuser.dat
+ 2011-04-26 17:45 . 2011-04-26 17:45 17948672 c:\windows\ERDNT\AutoBackup\4-26-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
.
c:\documents and settings\Lord\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 23:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-10 12:28 13758464 ------w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-05-28 21:32 16132608 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-21 14:55 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [3/3/2009 5:47 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [3/3/2009 5:47 PM 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [6/29/2009 4:07 PM 244608]
R1 MpKsl38d01e17;MpKsl38d01e17;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8163993A-6F08-4E99-99F1-5CCE44669335}\MpKsl38d01e17.sys [4/29/2011 11:28 AM 28752]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [3/3/2009 5:47 PM 25584]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S1 MpKsl2367828d;MpKsl2367828d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D425190-4599-4DA0-8E2E-4EE5EC030BA3}\MpKsl2367828d.sys [?]
S1 MpKsla5c5fa87;MpKsla5c5fa87;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D169990F-BC33-4B6B-82B7-63FD0528929B}\MpKsla5c5fa87.sys [?]
S1 MpKslb0fe2e80;MpKslb0fe2e80;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E0E98532-B5D7-4909-99D2-D34B8A22CBB6}\MpKslb0fe2e80.sys [?]
S1 MpKslbf8fe406;MpKslbf8fe406;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CA88CD10-8669-4943-BEFF-1157A933CA7C}\MpKslbf8fe406.sys [?]
S1 MpKslcefc53da;MpKslcefc53da;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8DC3CA08-2D57-46E5-8955-C1F1CB43D965}\MpKslcefc53da.sys [?]
S1 MpKsldf37030e;MpKsldf37030e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6C30763-7F6C-421B-B864-DAA92D8CF64B}\MpKsldf37030e.sys [?]
S1 MpKsle49a001f;MpKsle49a001f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9EF5287B-A0B5-4213-8CCC-4D7DC910CA46}\MpKsle49a001f.sys [?]
S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe --> c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [9/27/2010 8:40 PM 8192]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUpnpService11.exe [?]
S2 RoxLiveShare11;LiveShare P2P Server 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [?]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [?]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009 Ultimate\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB11;RoxMediaDB11;"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe" --> c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 11:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL38D01E17
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-04-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-04-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
FF - ProfilePath - c:\documents and settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55273
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 8888
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 17:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3908872593-1432629759-1091945336-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1616)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-29 17:40:01
ComboFix-quarantined-files.txt 2011-04-29 21:39
.
Pre-Run: 152,864,915,456 bytes free
Post-Run: 152,847,413,248 bytes free
.
- - End Of File - - 6973EBEAEAC07862105F2F9CF578D61C
Looking good, maybe that infection is gone, lets hope so. Lets do this, use your computer for a few days and then run OTL and post a new log and lets see if anything returned
soul4soul
2011-04-30, 01:31
thanks for the help so far. ill post back sunday morning that should give me enough time to test everything out and see how my system runs.
Ok, let me know how it goes
soul4soul
2011-05-01, 20:20
hey iv been using my computer quite a bit everything seems back to normal. this is the OTL log
OTL logfile created on: 5/1/2011 1:16:12 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lord\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.77 Gb Total Space | 141.88 Gb Free Space | 60.95% Space Free | Partition Type: NTFS
Computer Name: ALEX | User Name: Lord | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Lord\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (RoxWatch11) -- File not found
SRV - (RoxMediaDB11) -- File not found
SRV - (RoxLiveShare11) -- File not found
SRV - (Roxio Upnp Server 11) -- File not found
SRV - (Roxio UPnP Renderer 11) -- File not found
SRV - (getPlus(R) Helper) getPlus(R) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) -- File not found
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SRV - (KMService) -- C:\WINDOWS\system32\srvany.exe ()
SRV - (RoxWatch12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe (Sonic Solutions)
SRV - (RoxMediaDB12) -- C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe (Sonic Solutions)
SRV - (CinemaNow Service) -- C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (CinemaNow, Inc.)
========== Driver Services (SafeList) ==========
DRV - (MpKsl091baa0e) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{58C727EF-A49F-4064-8AAC-1413F3A68977}\MpKsl091baa0e.sys (Microsoft Corporation)
DRV - (c2scsi) -- C:\WINDOWS\System32\drivers\c2scsi.sys (Sonic Solutions)
DRV - (SaibVd32) -- C:\WINDOWS\system32\drivers\SaibVd32.sys (Sonic Solutions)
DRV - (SahdIa32) -- C:\WINDOWS\System32\Drivers\SahdIa32.sys (Sonic Solutions)
DRV - (SaibIa32) -- C:\WINDOWS\System32\Drivers\SaibIa32.sys (Sonic Solutions)
DRV - (RsFx0103) -- C:\WINDOWS\system32\drivers\RsFx0103.sys (Microsoft Corporation)
DRV - (RxFilter) -- C:\WINDOWS\system32\drivers\RxFilter.sys (Sonic Solutions)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LHidKe) -- C:\WINDOWS\system32\drivers\LHidKE.Sys (Logitech Inc.)
DRV - (LMouKE) -- C:\WINDOWS\system32\drivers\LMouKE.Sys (Logitech Inc.)
DRV - (TIEHDUSB) -- C:\WINDOWS\system32\drivers\tiehdusb.sys (Texas Instruments Incorporated)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080517
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 55273
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 8888
FF - prefs.js..network.proxy.type: 0
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/05/21 10:56:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011/04/01 11:52:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/28 20:40:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
[2010/07/09 09:54:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Extensions
[2011/03/11 10:34:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions
[2010/04/28 15:14:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/22 13:45:06 | 000,000,000 | ---D | M] (RedShift V3) -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\extensions\redshift_V2@shift-themes.com
[2009/08/01 23:16:25 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Mozilla\Firefox\Profiles\ns2o3ouy.default\searchplugins\search-the-web.xml
[2011/04/21 13:58:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\{CD6C4EBF-366E-45A0-98B5-B8217288EED7}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\LORD\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\NS2O3OUY.DEFAULT\EXTENSIONS\TESTPILOT@LABS.MOZILLA.COM.XPI
[2010/04/08 06:58:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/28 20:40:49 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
O1 HOSTS File: ([2011/04/28 16:17:33 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Oracle)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - Startup: C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_21.dll (Oracle)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: cinemanow.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: cinemanow.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: qflix.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: roxio.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: sonic.com ([redirect] http in Trusted sites)
O15 - HKCU\..Trusted Domains: sonic.com ([redirect2] http in Trusted sites)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.237.161.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/04/30 21:39:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/28 16:17:25 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/28 08:13:20 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Lord\Desktop\esetsmartinstaller_enu.exe
[2011/04/27 15:55:01 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 08:54:59 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 21:25:52 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/25 21:25:52 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/25 21:25:52 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/25 21:25:52 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/25 21:25:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/25 20:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\tdsskiller
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/04/23 12:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2011/04/23 12:56:42 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/22 22:25:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/04/22 20:54:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lord\Recent
[2011/04/22 20:10:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/22 20:06:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/22 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\CP-Autos
[2011/04/22 12:22:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/22 12:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/21 18:06:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2011/04/21 17:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Microsoft
[2011/04/21 17:39:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 8
[2011/04/21 17:26:20 | 000,000,000 | R--D | C] -- C:\MSOCache
[2011/04/21 13:58:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2011/04/21 12:27:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Malwarebytes
[2011/04/21 12:27:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/21 12:27:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/21 12:27:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/21 12:27:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/21 12:04:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/04/21 12:04:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/04/21 10:51:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/04/21 10:50:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/20 23:43:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Microsoft Help
[2011/04/20 23:35:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2011/04/20 15:02:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\(DONE) African Diaspora Mathematics Compendium, Volume 4-ALL LATEX
[2011/04/20 14:04:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Help
[2011/04/20 12:54:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/20 12:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/20 12:00:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sonic
[2011/04/19 16:30:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\world
[2011/04/18 17:39:12 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/04/15 18:01:01 | 000,050,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2011/04/15 18:00:47 | 000,079,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2011/04/15 17:59:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RsFx
[2011/04/15 17:56:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2011/04/15 15:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\TweakNow RegCleaner 2011
[2011/04/12 14:53:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Products
[2011/04/12 13:05:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\Adobe
[2011/04/12 12:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Application Data\Adobe
[2011/04/12 12:31:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/12 09:32:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Desktop\Transmission Lines Theory, Types and Applications
[2011/04/08 18:19:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\symbols
[2011/04/08 18:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Help Viewer
[2011/04/06 16:20:16 | 000,107,808 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\Local Settings\Application Data\PCTeX
[2011/04/04 22:45:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PCTeX
[2011/04/04 22:44:54 | 000,000,000 | ---D | C] -- C:\Program Files\PCTeX
[2011/04/01 16:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lord\My Documents\My PCTeX Files
========== Files - Modified Within 30 Days ==========
[2011/05/01 11:03:41 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/01 10:58:29 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/05/01 10:58:25 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-3908872593-1432629759-1091945336-1006.job
[2011/05/01 10:58:16 | 000,235,289 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/05/01 10:58:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/01 10:58:07 | 2145,566,720 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/29 17:25:48 | 004,333,524 | R--- | M] () -- C:\Documents and Settings\Lord\Desktop\Com-boFix.exe
[2011/04/28 16:17:33 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/28 08:13:22 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Lord\Desktop\esetsmartinstaller_enu.exe
[2011/04/27 18:23:02 | 000,004,608 | ---- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/27 18:13:21 | 000,453,632 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\CKScanner.exe
[2011/04/27 15:55:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lord\Desktop\OTL.exe
[2011/04/27 08:55:00 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lord\Desktop\ATF-Cleaner.exe
[2011/04/25 20:08:04 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/23 13:01:47 | 000,003,801 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/23 12:56:43 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Lord\Desktop\erunt-setup.exe
[2011/04/23 12:31:24 | 000,340,240 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/22 20:11:06 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/22 20:09:42 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/21 13:58:48 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 12:27:06 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 13:10:49 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/20 07:14:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/18 18:53:58 | 000,000,019 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/04/18 18:32:29 | 000,630,932 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/18 18:32:29 | 000,136,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/18 17:44:31 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/12 12:43:14 | 000,011,495 | ---- | M] () -- C:\Documents and Settings\Lord\gsview32.ini
[2011/04/09 23:23:58 | 000,000,165 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:51 | 000,001,542 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/08 16:42:37 | 000,002,373 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\Remere's Map Editor.lnk
[2011/04/06 16:20:16 | 000,107,808 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dns-sd.exe
[2011/04/06 16:20:16 | 000,091,424 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\dnssd.dll
[2011/04/04 22:45:04 | 000,000,750 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:17:40 | 000,014,910 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 12:03:59 | 000,014,183 | ---- | M] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
========== Files Created - No Company Name ==========
[2011/04/29 17:25:33 | 004,333,524 | R--- | C] () -- C:\Documents and Settings\Lord\Desktop\Com-boFix.exe
[2011/04/27 18:13:20 | 000,453,632 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\CKScanner.exe
[2011/04/25 21:25:52 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/25 21:25:52 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/25 21:25:52 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/25 21:25:52 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/25 21:25:52 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/25 20:07:59 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\tdsskiller.zip
[2011/04/25 20:04:06 | 2145,566,720 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/23 13:01:47 | 000,003,801 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Attach.zip
[2011/04/23 12:57:30 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\dds.scr
[2011/04/23 12:57:04 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Lord\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/04/23 12:57:02 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\ERUNT.lnk
[2011/04/22 20:11:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/21 13:58:48 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Lord\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/21 13:58:48 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/04/21 13:50:40 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/21 12:27:06 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/21 12:04:30 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\Spybot - Search & Destroy.lnk
[2011/04/20 14:02:01 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/20 13:10:49 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/04/09 23:23:58 | 000,000,165 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/09 22:52:43 | 000,001,542 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ir806823nm0e02u0748c4iw4onj73w34x6m56pw625
[2011/04/04 22:45:04 | 000,000,750 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\PCTeXv5.lnk
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\Lord\Local Settings\Application Data\0810l5u6odc6bt4h
[2011/04/04 18:15:55 | 000,014,910 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0810l5u6odc6bt4h
[2011/04/03 11:15:30 | 000,014,183 | ---- | C] () -- C:\Documents and Settings\Lord\Desktop\test.otbm
[2011/04/01 16:25:00 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2011/02/06 11:34:25 | 011,917,198 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3908872593-1432629759-1091945336-1006-0.dat
[2011/02/06 11:34:10 | 000,347,274 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/09/27 20:40:55 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\srvany.exe
[2010/07/09 00:20:09 | 001,708,496 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/20 20:08:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/01/26 20:10:47 | 000,055,809 | ---- | C] () -- C:\WINDOWS\CP-FPCOS100.dll
[2009/12/04 15:07:54 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/23 22:09:27 | 000,000,019 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2009/06/21 11:53:14 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/06/10 08:29:34 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 08:29:34 | 001,657,376 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2009/06/10 08:29:34 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 08:29:34 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 08:29:34 | 000,449,056 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2009/06/10 08:29:34 | 000,436,768 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2009/06/10 08:29:32 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/10 06:03:00 | 001,580,550 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/03/07 13:41:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2009/01/25 01:45:09 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/01/24 13:25:42 | 000,000,039 | ---- | C] () -- C:\WINDOWS\Irremote.ini
[2008/10/13 15:48:47 | 000,072,516 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2008/08/12 09:29:05 | 001,245,696 | ---- | C] () -- C:\WINDOWS\System32\QtNetwork4.dll
[2008/08/12 09:29:05 | 000,505,344 | ---- | C] () -- C:\WINDOWS\System32\QtXml4.dll
[2008/08/01 10:16:24 | 000,063,984 | ---- | C] () -- C:\WINDOWS\DVDRGN.EXE
[2008/07/29 15:50:13 | 000,000,022 | ---- | C] () -- C:\WINDOWS\msnmsgr.exe.ini
[2008/06/21 12:44:05 | 010,436,608 | ---- | C] () -- C:\WINDOWS\System32\QtGui4.dll
[2008/06/21 12:44:05 | 002,660,864 | ---- | C] () -- C:\WINDOWS\System32\QtCore4.dll
[2008/06/21 12:44:05 | 000,015,960 | ---- | C] () -- C:\WINDOWS\System32\mingwm10.dll
[2008/05/22 15:52:33 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/05/21 22:32:49 | 000,000,028 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/21 21:55:45 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2008/05/21 20:59:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/05/16 19:08:13 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/05/16 19:04:37 | 000,000,611 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/16 18:45:26 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/05/16 18:44:22 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 14:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 13:57:15 | 000,340,240 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 13:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 13:51:20 | 000,630,932 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 13:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 13:51:20 | 000,136,800 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 13:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 13:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 13:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 13:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 13:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 13:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 13:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 13:50:56 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:DocumentSummaryInformation
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Lord\Desktop\template.dmsd:Roxio EMC Stream
@Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مايكروسوفت
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\Lord\My Documents\just stuff.lua:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\Lord\My Documents\its my life.doc:SummaryInformation
< End of report >
Just run this quick scan please
Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
soul4soul
2011-05-02, 05:30
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----
sorry it took so long
:bigthumb:
Unless you feel you are still having problems you look like your good to go
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
soul4soul
2011-05-03, 01:27
thanks for the help everything seems to be running fine. oh is there any special way to remove combofix?
OTL Clean up should have removed it, if not do this
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
soul4soul
2011-05-03, 19:40
oh your right thank you. just the icons were left over. everything seems to be running great. thanks for all the help. i really appreciate it.
Your very welcome,
Take care,
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.